Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Ownership cannot be transferred in AaveDIVAWrapper when owner is compromised

fourb

Summary

In AaavDIVAWrapper when contract is being deployed the owner of the contract is being initialised but there is no way to transfer ownership in case the owner address has been compromised

Vulnerability Details

InAaveDIVAWrapper we can see that it inherits the AaveDIVAWrapperCore which contains the core functionality of the protocol.

contract AaveDIVAWrapper is AaveDIVAWrapperCore, ReentrancyGuard {

constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

Within this core contract we can see it initializes an owner via openzeppelin's ownable function and as a result any contract inheriting this absttract contract is supposed to provide the owner address so the contract can initialize the desired owner.

abstract contract AaveDIVAWrapperCore is IAaveDIVAWrapper, Ownable2Step {

using SafeERC20 for IERC20Metadata;

address private immutable _diva;

address private immutable _aaveV3Pool; // Pool contract address

mapping(address => address) private _collateralTokenToWToken;

mapping(address => address) private _wTokenToCollateralToken;

constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) {

if (diva_ == address(0) || aaveV3Pool_ == address(0)) {

revert ZeroAddress();

}

_diva = diva_;

_aaveV3Pool = aaveV3Pool_;

}

But the issue here is, After the initialization of the owner there is no way for the owner to be changed or ownership privileges to be transferred. This is a concern because whenever owner is compromised, there will be no way to recover the protocol back and as a result will lead to further complications

Impact

Whenever owner is being compromised the owner rights cannot be transferred to a new address therefore leading to difficulty in recovering the protocol

Tools Used

manual review

Recommendations

Implement a two-step ownership transfer function.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.