Aave DIVA Wrapper

Summary and Vulnerability Details

The AaveDIVAWrapperCore contract uses the _registerCollateralToken function to register tokens that have not already been registered and that are supported by Aave. However, there is no function that allows to unregister tokens that are no longer supported by Aave.

There are various reasons, why tokens may become unsupported on Aave (governance decisions, regulatory issues, security concerns...) and the AaveDiva Wrapper should ideally reflect those changes and revert immediately if any of the key function on the AaveDIVAWrapper contract is called with a token that is no longer supported on Aave.

If a token on Aave becomes unsupported, users can no longer deposit those tokens, but they can still withdraw the token.

Impact

Instead of failing immediately when any of the concerned functions is called, those funcctions will only revert when either the IAave(_aaveV3Pool).supply() function in _handleTokenOperations() is called or when the IAave(_aaveV3Pool).withdraw() function in _redeemWTokenPrivate() is called.

This means, for someone calling any of those functions with a token that is no longer supported on Aave, the gas cost the user has to pay will be higher than necessary.

Tools Used

Manual Review

Recommendations

Add a _unregisterCollateralToken function to AaveDIVAWrapperCore and AaveDIVAWrapper

_createContingentPool and _addLiquidity should no longer work for unregistered tokens, however, _removeLiquidity, _redeemPositionToken and _redeemWToken will still need to wwork for those tokens in order to allow the user to withdraw corresponding collateral tokens from Aave.