Aave DIVA Wrapper

Summary

The AaveDivaWrapperCore.sol contract uses immutable variables (_diva and _aaveV3Pool) to store the addresses of the DIVA Protocol and Aave V3 Pool contracts. While immutable variables are gas-efficient and secure, they cannot be updated after deployment. This creates a significant limitation: if the Aave V3 Pool contract address changes (e.g., due to upgrades, bug fixes, or migrations), the AaveDIVAWrapper contract will fail to adapt to the new address, rendering it non-functional or requiring a complete redeployment.

Vulnerability Details

• The _diva and _aaveV3Pool addresses are declared as private immutable, meaning:

  • They are set once during contract deployment (in the constructor).

  • They cannot be modified after deployment.

• This design choice is efficient for gas usage but lacks flexibility for adapting to changes in external dependencies.

2. Potential Scenarios Requiring Address Updates

The Aave V3 Pool contract address might change in the following situations:

1. Upgrades and Optimizations:

   • Aave releases a new version of the Pool contract with improved features, optimizations, or bug fixes.

   • The old contract is deprecated, and users are required to migrate to the new address.

2. Critical Bug Fixes:

   • A critical vulnerability is discovered in the Aave V3 Pool contract, requiring a patched version with a new address.

3. Protocol Migration:

   • Aave migrates to a new protocol version (e.g., Aave V4) or a different deployment (e.g., moving to a new blockchain or layer).

4. Admin Decisions:

   • The Aave team decides to redeploy the Pool contract for administrative reasons (e.g., restructuring, regulatory compliance).

5. Chain-Specific Deployments:

   • The contract is deployed on multiple chains, and the Aave V3 Pool address differs across chains. If the contract is not redeployed with the correct address, it will fail to function on the new chain.

Impact

Contract Failure

• If the Aave V3 Pool address changes, the AaveDIVAWrapper contract will continue to interact with the old address.

4. Redeployment Required

• To fix the issue, the contract will need to be redeployed with the new Aave V3 Pool address. This process is costly, time-consuming, and may require users to migrate their funds to the new contract.

Tools Used

Manual review

Recommendations

make functionality for changing those addresses if something like this happens