Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unsafe usage of approve method for some ERC20s

icon0x

Summary

The "default" ERC20 behavior expects the approve function to return a boolean. however, some ERC20s on some chains don't return a value (The most popular example is USDT on the Ethereum Mainnet).

Vulnerability Details

Since it is stated in readme that CHAINS and ERC20 tokens will be in use:

AaveDIVAWrapper contract will be deployed on EVM-compatible chains where both DIVA Protocol and Aave V3 are available. These include:
- Ethereum Mainnet
- Polygon
- Arbitrum One
- Gnosis Chain
- Ethereum Sepolia (Testnet)
Supported collateral tokens:
- Any ERC20 token supported by Aave V3, but mainly stablecoins like USDC, USDT are expected to be used for DIVA Donate.
- Fee-on-transfer and rebaseable tokens are NOT supported.
- Tokens must have between 6-18 decimals.

So for non-standard token such as USDT, calling approve will revert because the Openzeppeline ERC20 enforce the underlying token return a boolean.

Standard ERC20s return a boolean on approval:
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/IERC20.sol#L67

USDT on the main net doesn't return a value:
https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#code

Impact

registerCollateralToken function will revert if the collateral token is USDT.

_collateralTokenContract.approve(_aaveV3Pool, type(uint256).max);

Tools Used

Recommendations

Use .safeApprove instead

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.