No function to Deregister a Collateral Token
Summary
The _registerCollaterlToken function allows collateral tokens to be registered but does not provide way to remove or update a registered collateral token. Once a collateral token is mapped to a wToken, there is no mechanism to deregister it or modify the mapping.
Vulnerability Details
This vulnerability will cause issue if a registered collateral token is deprecated or becomes unsupported.
An issue is discovered in the
wTokencontract, requiring a replacement.The owner needs to pause or migrate to a new system.
Impact
Cannot remove or replace faulty wTokens.
No way to handle protocol upgrades
Stale or deprecated tokens remain in the system indefinitely.
Tools Used
Manual Review
Recommendations
Introduce a function to remove a registered collateral token and its corresponding wrapped token.
Lead Judging Commences
[Invalid] No way to remove collateral tokens
This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.