Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

`collateralToken` no longer supported by Aave V3 leads users experience continuous reverts in `AaveDIVAWrapper::createContingentPool` calls

kiteweb3

Summary

The AaveDIVAWrapper::registerCollateralToken contract enables the registration of _collateralToken. When a token is registered via the _registerCollateralToken function, a mapping is updated to link the collateral token to its corresponding wToken. The registerCollateralToken function includes a validation check to ensure that the _collateralToken is supported by Aave V3 at the time of registration. If this check passes, the token is considered supported and can be used within the aaveDIVAWrapper.

However, an issue arises if a previously registered _collateralToken later becomes unsupported by Aave V3. The aaveDIVAWrapper contract does not provide a function to unregister collateral tokens, meaning users can still retrieve it as a registered token via getWToken. Consequently, they may attempt to call createContingentPool, using this _collateralToken, which will revert due to the token no longer being supported by Aave.

Vulnerability Details

function _registerCollateralToken(address _collateralToken) internal returns (address) {

if (_collateralTokenToWToken[_collateralToken] != address(0)) {

revert CollateralTokenAlreadyRegistered();

}

@> address _aToken = _getAToken(_collateralToken);

@> if (_aToken == address(0)) {

@> revert UnsupportedCollateralToken();

}

... omitted code

@> _collateralTokenToWToken[_collateralToken] = _wToken;

_wTokenToCollateralToken[_wToken] = _collateralToken;

... omitted code

return _wToken;

}

function _createContingentPool(PoolParams calldata _poolParams) internal returns (bytes32) {

address _wToken = _collateralTokenToWToken[_poolParams.collateralToken];

if (_wToken == address(0)) {

revert CollateralTokenNotRegistered();

}

// Transfer collateral token from caller to this contract, supply to Aave, and mint wTokens.

// Requires prior approval by the caller to transfer the collateral token to the AaveDIVAWrapper contract.

@> _handleTokenOperations(_poolParams.collateralToken, _poolParams.collateralAmount, _wToken);

... omitted code

return _poolId;

}

function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {

IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);

// Supply the collateral token to Aave and receive aTokens. Approval to transfer the collateral token from this contract

// to Aave was given when the collateral token was registered via `registerCollateralToken` or when the

// allowance was set via `approveCollateralTokenForAave`.

@> IAave(_aaveV3Pool).supply(

_collateralToken, // Address of the asset to supply to the Aave reserve.

_collateralAmount, // Amount of asset to be supplied.

address(this), // Address that will receive the corresponding aTokens (`onBehalfOf`).

0 // Referral supply is currently inactive, you can pass 0 as referralCode. This program may be activated in the future through an Aave governance proposal.

);

IWToken(_wToken).mint(address(this), _collateralAmount);

}

Impact

If _collateralToken is registered in the aaveDIVAProtocol but later becomes unsupported by Aave V3, users attempting to create pools, using this _collateralToken, via createContingentPool will experience continuous reverts.

Tools Used

Manual review.

Recommendations

Implement anAaveDIVAWrapper::unregisterCollateralToken function (with onlyOwner access) for unregistering _collateralToken that are no longer supported.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[Invalid] No way to remove collateral tokens

This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."

Appeal created

kiteweb3 Submitter

9 months ago

bube Lead Judge

9 months ago

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[Invalid] No way to remove collateral tokens

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.