Permanent Locking of Funds Due to Irremovable Collateral Tokens
The registerCollateralToken function allows the contract owner to add new collateral tokens but does not provide a way to deregister or remove them, leading to a permanent lock-in of funds if a token becomes obsolete or blacklisted. If a registered collateral token is later paused, deprecated, or its contract is upgraded, users may deposit funds into a non-functional pool, causing them to become inaccessible indefinitely. A proper fix should introduce a function allowing the owner to safely remove invalid collateral tokens, preventing users from interacting with broken liquidity pools.
Since _registerCollateralToken modifies internal mappings to track registered tokens, but no function exists to remove them, users remain trapped with non-functional tokens in the protocol.
Impact:
Users can lose access to their funds if collateral tokens become unusable due to blacklisting, pausing, or contract deprecation, with no mechanism to recover liquidity.
Mitigation:
Implement a deregisterCollateralToken function that allows the owner to safely remove broken or deprecated collateral tokens, ensuring users can exit liquidity pools before tokens become non-functional.
Lead Judging Commences
[Invalid] No way to remove collateral tokens
This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.