Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Arguments passed in the wrong order will cause permanent DoS in `AaveDIVAWrapper`

holydevoti0n

Vulnerability Details

The AaveDIVAWrapper sets the incorrect arguments for the AaveDIVAWrapperCore:

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L12

constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

Notice that the first parameter is the _aaveV3Pool:AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner)

But AaveDIVAWrapperCore expects the first parameter to be diva_ and second aaveV3Pool_:

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L52

constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) {

// Validate that none of the input addresses is zero to prevent unintended initialization with default addresses.

// Zero address check on `owner_` is performed in the OpenZeppelin's `Ownable` contract.

if (diva_ == address(0) || aaveV3Pool_ == address(0)) {

revert ZeroAddress();

}

// Store the addresses of DIVA Protocol and Aave V3 in storage.

_diva = diva_;

_aaveV3Pool = aaveV3Pool_;

}

As the arguments are passed incorrectly, the contract cannot work as it will call functions that do not exist in both contracts.

This issue is critical because those parameters are immutable; there is no way to set new values in the contract.

Impact

Permanent DoS. Contract will not work.

Tools Used

Manual Review

Recommendations

Fix the constructor parameter order:

- constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

+ constructor(address _diva, address _aaveV3Pool, address _owner) AaveDIVAWrapperCore(_diva, _aaveV3Pool, _owner) {}

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Constructor arguments mismatch

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.