Summary

In AaveDIVAWrapperCore contract, inside the function _registerCollateralToken(), _collateralTokenContract.approve() is being called in line 116, which is not recommended in case of tokens like USDT.

Vulnerability Details

If an old ERC20 token is being registered as collateral by the owner of AaveDIVAWrapper, e.g. USDT, then there is a line which calls .approve() which can potentially prevent registering such a token as collateral.

For USDT (and similar tokens), if there is already a non-zero allowance, then the call to approve() with a non-zero value fails. So SafeERC20's forceApprove() is recommended, which first sets the allowance to zero in case it's required and only then sets it to the desired non-zero value.

Considering a legit owner, I didn't find any way to approve some non-zero value of _collateralTokenContract when it's not registered. There isn't a state change from registered to not-registered for a collateral token, that could've left some non-zero allowance which could've failed re-registration of such tokens. So practically there won't be such a scenario in which there would already be a non-zero allowance when the collateral is being registered.

Impact

There isn't any operational impact as per the current logic.

Tools Used

-

Recommendations

The use of forceApprove() is recommended in line 116 of AaveDIVAWrapperCore.sol for the collateral token.