Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Function to Deregister Collateral Tokens in AaveDIVAWrapper.sol

bryanconquer

Summary
The contract provides functions to register collateral tokens individually (registerCollateralToken) and in batches (batchRegisterCollateralToken). However, it lacks a function to deregister or remove collateral tokens, which can lead to security risks, compatibility issues, and reduced flexibility in protocol upgrades.

Impact

Incompatible Tokens – If a token turns out to be non-functional or incompatible, it cannot be removed.

  • Security Vulnerabilities – If a token is later found to be exploitable, the contract has no mechanism to prevent its use.

  • Protocol Upgrades – If an upgrade requires transitioning to a new token, the old one cannot be deactivated.

Tools Used

Manual review

Recommendations
Introduce a function to deregister collateral tokens.

function deregisterCollateralToken(addrss _collateralToken) external onlyOwner {
if (_collateralTokenToWToken[_collateralToken] == address(0)) {
revert CollateralTokenNotRegistered();
}
delete _collateralTokenToWToken[_collateralToken];
// update the approval by removing approval from unlisted tokens
emit CollateralTokenDeregistered(_collateralToken);
}
Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] No way to remove collateral tokens

This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.