Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Irreversible registration of collateral tokens can expose the protocol to operational risks

victorzsh

Summary

The absence of a function to remove or update registered collateral tokens creates a permanent mapping, leaving the protocol vulnerable to operational inefficiencies and significant security risks. This limitation prevents the protocol from adapting to changes, such as tokens being delisted by Aave or updates to tokens that use upgradeable contracts.

Vulnerability Details

Source Code Reference

In the AaveDIVAWrapperCore::_registerCollateralToken function, collateral tokens are registered through the _collateralTokenToWToken and _wTokenToCollateralToken mappings. Once registered, there is no mechanism to remove or update these entries. This is because:

The _registerCollateralToken function defines the mappings:

// Map collateral token to its corresponding wToken.
@> _collateralTokenToWToken[_collateralToken] = _wToken;
// Map wToken to its corresponding collateral token to facilitate reverse lookups.
@> _wTokenToCollateralToken[_wToken] = _collateralToken;

There is no unregisterCollateralToken function or anything similar that could delete or update these records.

Impact

The inability to remove registered collateral tokens poses critical risks to the protocol. If a malicious token is accidentally registered or undergoes an update — tokens like USDC are implemented with an upgradeable contract — that compromises any protocol functionality, it remains permanently active, enabling continuous exploitation.

Additionally, if Aave delists a token (e.g., a stablecoin), the wrapper will continue to allow operations with it, leading to potential failures in essential functions such as AaveDIVAWrapperCore::_createContingentPool or AaveDIVAWrapperCore::_redeemWToken.

Tools Used

Manual review.

Recommendations

Add an _unregisterCollateralToken function restricted to the owner for greater flexibility.

AaveDIVAWrapperCore.sol:

+ mapping(address => bool) private _depositBlocked;
...
+ function _unregisterCollateralToken(address _collateralToken, bool _isBlocked) internal {
+ _depositBlocked[_collateralToken] = _isBlocked;
+ }

Use the mapping(address => bool) private _depositBlocked and a modifier isDepositBlocked to check this state in the createContingentPool and addLiquidity functions, reverting the transaction if the token is marked as blocked for deposits. This should be useful in situations where there is a need to remove a token while deposits still exist.

Additionally, add the unregisterCollateralToken function to the AaveDIVAWrapper contract:

function unregisterCollateralToken(address _collateralToken, bool _isBlocked)
external
override
onlyOwner
nonReentrant
{
_unregisterCollateralToken(_collateralToken, _isBlocked);
}

It is important that the interface of this function is added to IAaveDIVAWrapper.sol.

The best measure in this case is indeed a mapping that allows the blocking of collateral token deposits. This is because, for example, deleting the values from the mappings _wTokenToCollateralToken[_wToken] or _collateralTokenToWToken[_collateralToken] could result in token loss for users who have already made deposits and thus would not be able to perform withdrawals.

Updates

Lead Judging Commences

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] No way to remove collateral tokens

This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.