Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Incorrect Constructor Parameter Order set in `AaveDIVAWrapper` to `AaveDIVAWrapperCore` Leading to Denial of Service

lhoussaineph2001

Summary

A critical bug has been identified in the AaveDIVAWrapper contract, where the constructor parameters are passed in an incorrect order to the AaveDIVAWrapperCore base contract. This misconfiguration leads to improper initialization of key contract addresses, resulting in potential operational failures and security vulnerabilities.

Vulnerability Details

The parameters aaveV3Pool, diva are passed in the wrong order to the AaveDIVAWrapperCore constructor, which expects the order as diva, aaveV3Pool, owner.

//@audit-H Wrong paramters Order

// Expected AaveDIVAWrapperCore(_diva , _aaveV3Pool, _owner)

constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

//@audit-H

constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) {

Impact

Misconfigured Addresses:

The contract will incorrectly assign the _aaveV3Pool, _diva, addresses, leading to erroneous interactions with external systems.

Operational Failures (DOS) :

Functions that depend on these addresses may fail to execute as expected, causing disruptions in contract functionality.

Example Of DOS in `AaveDIVAWrapper::registerCollateralToken` :

Owner call `AaveDIVAWrapper::registerCollateralToken`
And This call `AaveDIVAWrapperCore::_registerCollateralToken`
And This call `_diva::getReserveData` as not expected
`getReserveData` function exist in `_aaveV3pool`

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.26;

import "forge-std/Test.sol";

import {IAaveDIVAWrapper} from "../src/interfaces/IAaveDIVAWrapper.sol";

import {IAave} from "../src/interfaces/IAave.sol";

import {IDIVA} from "../src/interfaces/IDIVA.sol";

import "../src/AaveDIVAWrapper.sol";

import "../src/interfaces/IDIVA.sol";

import "lib/openzeppelin-contracts/contracts/interfaces/IERC20Metadata.sol";

interface IUSDC {

function approve(address spender, uint256 amount) external;

function transfer(address recipient, uint256 amount) external;

function balanceOf(address) external view returns (uint256);

function transferFrom(address sender, address recipient, uint256 amount) external;

function decimals() external view returns (uint8);

}

contract AaveDIVAWrapperTest is Test {

AaveDIVAWrapperCore wrapper;

address trader = address(0x4D8336bDa6C11BD2a805C291Ec719BaeDD10AcB9); // in polygon

address shortRecipient;

address longRecipient;

bytes32 poolId;

IAave _aavePool = IAave(0x794a61358D6845594F94dc1DB02A252b5b4814aD); // in polygon

IDIVA _diva = IDIVA(0x2C9c47E7d254e493f02acfB410864b9a86c28e1D); // in polygon

IUSDC USDC = IUSDC(0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359); // in polygon

function setUp() public {

// Deploy or connect to the necessary contracts

// Deploying the contract with incorrect constructor argument order

// Expected: AaveDIVAWrapperCore(_diva , _aaveV3Pool, _owner)

// Given: AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner)

wrapper = new AaveDIVAWrapper(address(_aavePool),address(_diva),address(this));

shortRecipient = address(0x1); // short recipent address

longRecipient = address(0x2); // log recipent address

// getReserveData call it in 0x2C9c47E7d254e493f02acfB410864b9a86c28e1D witch is diva protocl

// not in aaveV3pool as expected

// DOS in registerCollateralToken function

wrapper.registerCollateralToken(address(USDC)); // revert dor to DOS

// ├─ [8648] AaveDIVAWrapper::registerCollateralToken(0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359)

// │ ├─ [2338] 0x2C9c47E7d254e493f02acfB410864b9a86c28e1D::getReserveData(0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359)

[staticcall]

// │ │ └─ ← [Revert] custom error 0x5416eb98: 35ea6a7500000000000000000000000000000000000000000000000000000000

// │ └─ ← [Revert] custom error 0x5416eb98: 35ea6a7500000000000000000000000000000000000000000000000000000000

// └─ ← [Revert] custom error 0x5416eb98: 35ea6a7500000000000000000000000000000000000000000000000000000000 */

}

* Root Cause:

* The incorrect constructor order leads to `_diva` pointing to `_aavePool`, causing

* function calls meant for DIVA to fail and block further operations.

Tools Used

Manuial Review
Foundry Framework

Recommendations

- constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

+ constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_diva , _aaveV3Pool, _owner) {}

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Constructor arguments mismatch

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.