Summary

The constructor parameter names of AaveDIVAWrapper and those of AaveDIVAWrapperCore and how they are passed from the AaveDIVAWrapper's constructor to the AaveDIVAWrapperCore's constructor are in the wrong sequence.

Vulnerability Details

The constructor line of AaveDIVAWrapper looks like this:

while the constructor of AaveDIVAWrapperCore has a different sequence regarding the parameter names (1st is diva and then 2nd is aave):

• We can notice that the parameters are also passed to the AaveDIVAWrapperCore contract in aave-then-diva sequence.

• Any developer who's going to deploy an instance of AaveDIVAWrapper is very likely to pass the aave address as the 1st parameter and the diva address as the 2nd. This can make the whole contract instance unusable.

• Even the deployment script has used this wrong sequence, while the test script has used the diva-then-aave sequence. So this bug remained unnoticed in the tests.

Impact

• Wrong contract initialization (Failure of the protocol, with the need for redeploy): The naming sequence is confusing. The created contract instance can go totally wrong.

Files impacted / to be corrected:

• contracts/src/AaveDIVAWrapper.sol: contract AaveDIVAWrapper

• deploy/deployAaveDIVAWrapper.ts

Tools Used

-

Recommendations

Change the sequence used in the constructor of AaveDIVAWrapper (perhaps it's a good idea to keep the exact name format "param_"):

Change the sequence in the deployment script also (deployAaveDIVAWrapper.ts)