Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Input Validation in `batchApproveCollateralTokenForAave`

futhmah456

Summary

The batchApproveCollateralTokenForAave on line https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L202 function lacks proper validation of input parameters. If an empty or invalid array is passed, the function processes without effect or fails unexpectedly.

Vulnerability Details

The function processes user-supplied arrays without checking if the array is empty or contains invalid collateral token addresses. This could lead to wasted gas fees or failure in specific edge cases.

For example:

// contract AaveDIVAWrapper.sol, line 202
function batchApproveCollateralTokenForAave(address[] calldata _collateralTokens) external override {
uint256 _length = _collateralTokens.length;
for (uint256 i = 0; i < _length; i++) {
_approveCollateralTokenForAave(_collateralTokens[i]);
}
}

If _collateralTokens is an empty array, the loop won’t execute, wasting user gas fees unnecessarily.

Impact

  • While the impact is minimal, the lack of validation can inconvenience users and result in inefficient function execution.

  • Users waste gas fees on empty or invalid transactions.

Tools Used

Manual code review

Recommendations

  1. Add input validation to check for empty arrays:

require(_collateralTokens.length > 0, "Input array cannot be empty");

2 Address Validation:
Ensure each token address is valid (e.g., not address(0)):

for (uint256 i = 0; i < _collateralTokens.length; i++) {
require(_collateralTokens[i] != address(0), "Invalid token address");
}
Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.