Submission Details
Severity:
Returned boolean value is ignored.
Summary
Within a AaveDivaWrapperCore.sol a function for registering collateral token calls approve function for wToken and collateralToken but ignores their returned bool value.
Vulnerability Details
There is a chance although very low that one of the approvals will go wrong and return a false bool value, in that case the returned bool should not be ignored.
function _registerCollateralToken(address _collateralToken) internal returns (address) {
// Verify that the collateral token is not yet registered.
if (_collateralTokenToWToken[_collateralToken] != address(0)) {
revert CollateralTokenAlreadyRegistered();
}
.....
.....
.....
.....
// Note that granting an infinite allowance for wToken does not reduce the allowance on `transferFrom` as it uses a newer OpenZeppelin ERC20 implementation.
// However, this behavior may differ for collateral tokens like USDC, DAI, or WETH used in Aave. These tokens decrement the allowance with each use of
// `transferFrom`, even if an unlimited allowance is set. Consequently, though very unlikely, AaveDIVAWrapper could eventually exhaust its allowance.
// The `approveCollateralTokenForAave` function has been implemented to manually reset the allowance to unlimited.
@> _wTokenContract.approve(_diva, type(uint256).max);
@> _collateralTokenContract.approve(_aaveV3Pool, type(uint256).max);
emit CollateralTokenRegistered(_collateralToken, _wToken);
return _wToken;
}
Impact
LIKELIHOOD : Very low
There is no alternative way for AaveDivaWrapper Contract to approve the allowance to diva protocol.
Tools Used
Manual review
Recommendations
Should acknowledge the returned values.
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
51929 USDC / LOC
14,000
1,000
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.