AaveDIVAWrapper Constructor Parameter Misalignment Leading to Incorrect Address Configuration
Summary
The AaveDIVAWrapper contract incorrectly passes arguments to the AaveDIVAWrapperCore constructor, resulting in a misalignment of parameter order. This causes the _aaveV3Pool and _diva addresses to be swapped during initialization, leading to incorrect storage of these critical addresses. This misconfiguration could result in unintended behavior when the contract interacts with the Aave V3 Pool or DIVA Protocol.
Vulnerability Details
The vulnerability arises in the AaveDIVAWrapper contract's constructor(https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L12), where the parameters _aaveV3Pool and _diva are passed in the wrong order to the AaveDIVAWrapperCore constructor(https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L52C1-L62C6).
Impact
Incorrect Contract Behavior: The contract will attempt to interact with the wrong addresses for Aave V3 Pool and DIVA Protocol, leading to failed transactions or unintended interactions.
Yield Management Issues: Since the contract relies on these addresses for yield generation and collateral management, the misconfiguration could result in loss of funds or locked collateral.
Operational Failures: Any function that depends on the correct addresses of Aave V3 Pool or DIVA Protocol will fail, rendering the contract unusable.
Tools Used
Manual code review.
Recommendations
To fix this vulnerability, adjust the parameter order in the AaveDIVAWrapper constructor to match the expected order in AaveDIVAWrapperCore. The corrected code should look like this:
Lead Judging Commences
Constructor arguments mismatch
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.