Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Oversight in incorrect Token Symbol/Name Causes User Confusion in AaveDIVAWrapper

cipherhawk

Incorrect Token Symbol/Name Causes User Confusion in AaveDIVAWrapper

Issue Overview

The WToken contract sets both the name and symbol to the same value, which can lead to confusing token representations in wallets, explorers, and user interfaces.

Root Cause

Vulnerable Code

constructor(string memory symbol_, uint8 decimals_, address owner_) ERC20(symbol_, symbol_) {

// name = symbol for simplicity

}

The token name is assigned the same value as the symbol (symbol_).
Example: If the symbol is "wUSDC", the token name is also "wUSDC", violating ERC20 conventions.
Expected Behavior: The name should be descriptive (e.g., "Wrapped USDC"), and the symbol should be short and identifiable (e.g., "wUSDC").

Attack Scenario: User Misinterpretation of Token Identity

Confusion in Wallets & Block Explorers
- Users interacting with wUSDC expect to see "Wrapped USDC" in their wallets.
- Instead, wallets display only "wUSDC" as both the name and symbol, making it unclear what the token represents.
Potential for Impersonation Risks
- A malicious token with the same symbol ("wUSDC") but different internal logic could be mistaken for the official wrapped token.
- Users may trust a fake token, leading to scams or lost funds.

Impact Analysis

🔵 Severity: Medium
✅ Likelihood: Moderate – Users often rely on token names for identification.
✅ Impact: High – Incorrect naming can lead to trust issues, user confusion, and impersonation risks.

Proposed Solution

✅ Fix 1: Define Separate Name and Symbol Values

Modify the constructor to allow a distinct name and symbol for clarity.

constructor(string memory name_, string memory symbol_, uint8 decimals_, address owner_)

ERC20(name_, symbol_) {

_owner = owner_;

_decimals = decimals_;

}

Example Usage:

new WToken("Wrapped USDC", "wUSDC", 6, msg.sender);

✅ Ensures proper token identification across wallets and explorers.

✅ Fix 2: Enforce Naming Conventions During Token Deployment

Require names to follow a standardized format ("Wrapped <Asset>").

require(bytes(name_).length > 0, "Invalid token name");

require(bytes(symbol_).length > 0, "Invalid token symbol");

require(bytes(name_).length > bytes(symbol_).length, "Name must be more descriptive than symbol");

✅ Prevents contracts from using identical name and symbol values.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.