Collateral token can't be unregistered
Summary
The protocol lacks unregister collateral functionality.
Vulnerability Details
Aave pools have a dropReserve (aave usdc pool on arbitrum example) method which can disallow certain underlying tokens. AaveDivaWrapper will work with all the tokens which are supported by Aave and for this purpose it has a only owner registerCollateralToken method but lacks one which does the opposite.
Impact
Users won't be able to create pools through the wrapper with collateral assets which were previously supported and there is no way to disallow that collateral
Tools Used
Manual Review
Recommendations
Consider implementing an _unregisterCollateral callable by the owner only, which resets the corresponding wToken -> collateral and opposite values in the mappings _collateralTokenToWToken and _wTokenToCollateralToken to address(0).
Lead Judging Commences
[Invalid] No way to remove collateral tokens
This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.