Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Unlimited Allowance Approval in `AaveDIVAWrapperCore::_approveCollateralTokenForAave` Can Lead to Exploitation

syedasadkazmii

Description: The AaveDIVAWrapperCore::_approveCollateralTokenForAave function allows the contract to approve a specified collateral token for use by the Aave V3 pool. The current implementation sets the allowance to the maximum possible value (type(uint256).max - currentAllowance) for the _aaveV3Pool. While this is a common practice to avoid repeated approvals, it introduces potential risks, particularly if the approved address is compromised or behaves maliciously.

Impact: The function sets the allowance to maximum, effectively granting unlimited spending rights to the _aaveV3Pool for the specified collateral token.

Please refer to this [article](https://kalis.me/unlimited-erc20-allowances) by Rosco Kalis titled "Unlimited ERC20 allowances considered harmful".

Recommended Mitigation: To reduce the risks while maintaining functionality, modify the function to accept an explicit amount parameter for the allowance. This ensures that only the required amount is approved, rather than granting unlimited access.

The modified function implementation is as follows:

function _approveCollateralTokenForAave(address _collateralToken, uint256 _amount) internal {

// Ensure the collateral token is registered before setting approval.

if (_collateralTokenToWToken[_collateralToken] == address(0)) {

revert CollateralTokenNotRegistered();

}

// Calculate the current allowance

uint256 currentAllowance = IERC20Metadata(_collateralToken).allowance(address(this), _aaveV3Pool);

// If the current allowance is less than the desired amount, increase it by the difference

if (currentAllowance < _amount) {

// Using OpenZeppelin's `safeIncreaseAllowance` to accommodate tokens like USDT on Ethereum that

// require the approval to be set to zero before setting it to a non-zero value.

IERC20Metadata(_collateralToken).safeIncreaseAllowance(_aaveV3Pool, _amount - currentAllowance);

}

else {

// Optionally revert if the current allowance is already higher than the specified amount

revert AllowanceExceedsRequiredAmount();

}

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.