Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

USDT can't be registered as a collateral token

wellbyt3

Summary

The protocol expects to be compatible with USDT on Ethereum, however, USDT can't be registered which makes it incompatible with the entire protocol.

Vulnerability Details

The README states the protocol should support:

Any ERC20 token supported by Aave V3, but mainly stablecoins like USDC, USDT are expected to be used for DIVA Donate.

And that the protocol will be deployed on:

Ethereum Mainnet, Polygon, Arbitrum One, Gnosis Chain, Ethereum Sepolia (Testnet)

On Ethereum, USDT doesn't return a boolean value when approve() is called, but the IERC20Metadata interface inherits IERC20, which expects a boolean return value:

function approve(address spender, uint256 value) external returns (bool);

When USDT is passed in as a parameter to _registerCollateralToken, _collateralTokenContract.approve will fail because it will expect a boolean return value, but receive none:

function _registerCollateralToken(address _collateralToken) internal returns (address) {
...
IERC20Metadata _collateralTokenContract = IERC20Metadata(_collateralToken);
...
_collateralTokenContract.approve(_aaveV3Pool, type(uint256).max);
...
}

Impact

USDT can't be used with the protocol.

Tools Used

Manual review.

Recommendations

Force the approval to account for USDT on Ethereum.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.