Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Access Control in `approveCollateralTokenForAave`

futhmah456

Summary

The approveCollateralTokenForAave function contract AaveDIVAWrapper.sol line 22 is callable by any user. This could allow unauthorized entities to approve collateral tokens, potentially disrupting the protocol's token approval mechanism.

Vulnerability Details

Unlike other functions in the contract (e.g., registerCollateralToken), the approveCollateralTokenForAave function lacks the onlyOwner modifier. This allows any user to invoke it, as seen below:

// `AaveDIVAWrapper.sol` line 22
function approveCollateralTokenForAave(address _collateralToken) external override {
_approveCollateralTokenForAave(_collateralToken);
}

This could lead to unwanted token approvals by malicious or unintended actors.

Impact

Unrestricted access could disrupt the system's operation or allow attackers to manipulate token approval logic, affecting subsequent transactions.

Tools Used

Manual code review

Recommendations

Add the onlyOwner modifier to this function to restrict access to authorized entities only:

function approveCollateralTokenForAave(address _collateralToken) external override onlyOwner {
_approveCollateralTokenForAave(_collateralToken);
}
Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.