Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Insecure ERC20 Allowance Handling Leading to Failed Token Registrations and Aave Interactions

chainsentryaudits

Summary and Impact

The AaveDIVAWrapper contract contains two critical flaws in its ERC20 token allowance management:

Non-Compliant approve Usage: The registerCollateralToken function directly uses approve instead of OpenZeppelin’s safeApprove, which reverts for tokens like USDT that do not return a boolean. This prevents registration of widely used collateral tokens, violating the protocol’s core invariant of supporting Aave V3-compatible assets.
Faulty Allowance Reset Logic: The approveCollateralTokenForAave function uses safeIncreaseAllowance, which fails for tokens requiring an allowance reset to 0 before setting a new value. This blocks Aave interactions (supply/withdraw) for affected tokens, rendering the protocol unusable for these assets.

Impact:

Token Registration Failure: USDT and similar tokens cannot be registered, limiting protocol utility.
Aave Functionality Freeze: Users cannot deposit/withdraw collateral for registered tokens after initial allowance exhaustion, violating the invariant that "registered tokens generate yield via Aave".
Broken Core Features: Both issues directly impede the protocol’s ability to interact with Aave V3, a central value proposition stated in the documentation.

Vulnerability Details

1. Non-Compliant `approve` in Token Registration

Code Snippet:

// AaveDIVAWrapperCore.sol: _registerCollateralToken

_collateralTokenContract.approve(_aaveV3Pool, type(uint256).max);

Issue:

USDT’s approve lacks a return value, causing the transaction to revert when approve is called directly.
This violates the ERC20 standard’s recommended SafeERC20 pattern, which the protocol otherwise uses (e.g., safeTransferFrom).

2. Incorrect Allowance Reset Mechanism

Code Snippet:

// AaveDIVAWrapperCore.sol: _approveCollateralTokenForAave

IERC20Metadata(_collateralToken).safeIncreaseAllowance(

_aaveV3Pool,

type(uint256).max - currentAllowance

);

Issue:

safeIncreaseAllowance attempts to increase an existing allowance, but tokens like USDT require resetting to 0 first.
Example: If currentAllowance = 100, calling safeIncreaseAllowance(2^256 - 1 - 100) tries to set allowance to 2^256 - 1, which USDT rejects.

Tools Used

Manual Review

Recommendations

Replace approve with safeApprove:

// In _registerCollateralToken

_collateralTokenContract.safeApprove(_aaveV3Pool, 0); // Reset first

_collateralTokenContract.safeApprove(_aaveV3Pool, type(uint256).max);

Fix Allowance Reset Logic:

// In _approveCollateralTokenForAave

IERC20Metadata(_collateralToken).safeApprove(_aaveV3Pool, 0);

IERC20Metadata(_collateralToken).safeApprove(_aaveV3Pool, type(uint256).max);

Rationale:

safeApprove handles non-standard tokens by using low-level calls and validating success.
Resetting to 0 before setting a new allowance complies with tokens like USDT.

Updates

Lead Judging Commences

bube Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.