Aave DIVA Wrapper

Summary

The _registerCollateralToken function in the AaveDIVAWrapper contract relies on the IERC20Metadata.decimals() function to retrieve the number of decimals for a collateral token. While this works for most ERC20 tokens, some widely-used tokens, such as USDT on Ethereum, do not fully comply with the IERC20Metadata standard. As a result, the function may revert when attempting to register such tokens, which blocks their use as collateral in the protocol.

Vulnerability Details

The _registerCollateralToken function calls IERC20Metadata.decimals() without considering:

• Non-compliance: Certain ERC20 tokens (e.g., USDT on Ethereum) are non-compliant with the IERC20Metadata interface and may not implement the decimals() function correctly.

• If the token does not correctly implement decimals() (e.g., USDT on Ethereum), the function may revert, halting the registration process.

The relevant code section in _registerCollateralToken is:

Not all tokens (including the standard ones) actually implement a decimals function. According to EIP-20 standard,

Impact

1. Impact on Functionality:

   • The protocol will be unable to register popular and widely-used tokens like USDT, even though they are supported by Aave V3.

   • This may block core functionality for users, especially since USDT is explicitly mentioned as a target collateral token.

2. Likelihood: Moderate:

   • Many ERC20 tokens are compliant with IERC20Metadata, but non-compliant exceptions (like USDT) are significant due to their widespread use.

3. Security Risk:

   • There is no immediate exploit potential. However, the issue impacts protocol usability and could discourage user adoption.

4. Reputation Risk:

   • Failing to support major tokens such as USDT could damage the protocol’s reputation and lead to user dissatisfaction.

Tools Used

Manual review.

Recommendations

Suggest to use low-level call to check the decimal to support USDT in Ethereum.