Aave DIVA Wrapper

Summary

The vulnerability arises from the lack of validation for token addresses during registration, allowing the zero address to be registered as a collateral token. This can lead to high-severity issues, including transaction failures, denial of service, and operational disruptions, as functions attempting to interact with the zero address will revert.

Vulnerability Details

The contract lacks proper validation when registering collateral tokens, allowing the zero address (0x0000000000000000000000000000000000000000) to be registered as a valid token. This oversight can lead to significant operational and security issues.

Impact

This will be the following impact if we oversight this issue.

1. addLiquidity:

   • Attempting to transfer a zero address token would fail, as the zero address is not a valid ERC20 token. This would likely cause the transaction to revert due to failed token transfer operations.

2. removeLiquidity:

   • Similar to addLiquidity, any operation involving transferring a zero address token would fail, leading to transaction reverts.

3. redeemPositionToken:

   • If the zero address is used as a position token, redemption operations would fail, as the contract cannot interact with a non-existent token contract.

4. redeemWToken:

   • Redemption involving a zero address wrapped token would fail for the same reasons, causing transaction reverts.

5. claimYield:

   • Yield claiming operations would fail if they involve transferring a zero address token, leading to transaction failures.

6. approveCollateralTokenForAave:

   • Attempting to approve a zero address token for Aave would fail, as the zero address cannot execute ERC20 functions like approve.

Tools Used

Manual Review

Recommendations

Add validation for zero address for resolving the issue.