Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect parameter order passing to AaveDIVAWrapperCore constructor causing protocol-wide DoS

0xlouistsai

Summary

The AaveDIVAWrapper contract passes constructor parameters in the wrong order, swapping aaveV3Pool_ and diva_, causing address mismatches. This misconfiguration leads to failed interactions with the Aave V3 Pool and Diva protocol, resulting in a protocol-wide DoS.

While the test suite works correctly due to manually passing the right order, the deployment script remains the incorrect order.

Vulnerability Details

The AaveDIVAWrapper contract inherits from AaveDIVAWrapperCore, which expects three parameters in its constructor: diva_, aaveV3Pool_, and owner_. However, in the AaveDIVAWrapper constructor, these parameters are passed in an incorrect order as aaveV3Pool_, diva_, and owner_, leading to a mismatch.

The test suite in AaveDIVAWrapper.test.ts still works correctly because it correctly passes diva_, aaveV3Pool_, and owner_ to the constructor. However, if the order of diva_ and aaveV3Pool_ is swapped and the tests are rerun, most test cases will fail.

The parameter order of AaveDIVAWrapperCore is diva_, aaveV3Pool_, and owner_.

// @audit-issue the parameter order is (diva_, aaveV3Pool_, owner_)
constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) {
// Validate that none of the input addresses is zero to prevent unintended initialization with default addresses.
// Zero address check on `owner_` is performed in the OpenZeppelin's `Ownable` contract.
if (diva_ == address(0) || aaveV3Pool_ == address(0)) {
revert ZeroAddress();
}
// Store the addresses of DIVA Protocol and Aave V3 in storage.
_diva = diva_;
_aaveV3Pool = aaveV3Pool_;
}

Reference: https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapperCore.sol#L52

However, the parameter order of AaveDIVAWrapper constructor is aaveV3Pool_, diva_, and owner_.

// @audit-issue the parameter order is (_aaveV3Pool, _diva, _owner)
constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

Reference: https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L12

Impact

Due to the parameter mismatch, the diva_ contract address stored in AaveDIVAWrapper will be incorrectly set to the address of the Aave V3 Pool, while the aaveV3Pool_ address will be set to the Diva protocol address. As a result, all operations that interact with the Aave V3 Pool and Diva protocol will fail, as the contract will attempt to execute calls against the wrong addresses. Since these interactions are critical for the protocol’s functionality, this issue effectively causes a protocol-wide denial of service (DoS).

This issue is highly likely to happen, as the parameter order in the deployment file deployAaveDIVAWrapper.ts is incorrect.

const aaveDIVAWrapper = await AaveDIVAWrapper.deploy(
AAVE_V3_POOL,
DIVA,
OWNER,
);

Tools Used

Manual Review

Recommendations

Pass the correct order of the parameter to the AaveDIVAWrapper constructor:

- constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}
+ constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_diva, _aaveV3Pool, _owner) {
Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Constructor arguments mismatch

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.