Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect ERC20 Name Parameter in Constructor

kineticsofweb3

1. Title: Incorrect ERC20 Name Parameter in Constructor

Root Cause: Misuse of the ERC20 constructor parameters.
Impact: The token name is incorrectly set, which can cause display issues in wallets, explorers, and dApps.
Medium: Medium Severity: It introduces functional confusion and can affect adoption, It introduces functional confusion and can affect adoption

2. Summary

The WToken contract incorrectly passes the symbol_ parameter twice in the ERC20 constructor instead of providing a proper name and symbol separately. This issue affects the readability and proper identification of the token in various platforms. While it does not impact the contract's functionality in transfers, approvals, and minting, it can create confusion for users and prevent proper integration with third-party services.

3. Vulnerability Details

Code Snippet

constructor(string memory symbol_, uint8 decimals_, address owner_) ERC20(symbol_, symbol_) {

Issue

The constructor is incorrectly initialized with:

ERC20(symbol_, symbol_)

Instead of:

ERC20(name_, symbol_)

where name_ should be the full name of the token (e.g., "Wrapped Token"), and symbol_ should be the shorthand symbol (e.g., "WTK").

4. Root Cause

The developer mistakenly assumed that ERC20 only requires a symbol and duplicated its value instead of correctly assigning a token name.

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/WToken.sol#L14

5. Impact

  • Token explorers, wallets, and dApps may display the symbol in place of the name, leading to inconsistencies.

  • Some platforms require the name to be unique for proper indexing, which could affect visibility.

  • It can mislead users and developers interacting with the token.

6. Tools Used

  • Hardhat: For compiling and testing the contract.

  • OpenZeppelin ERC20: Reference documentation for expected behavior.

7. Proof of Concept (PoC) - Hardhat Test

The following Hardhat test validates the issue by deploying the contract and checking if the token name is the same as the symbol:

Test Code (Hardhat - JavaScript)

const { expect } = require("chai");
describe("WToken Constructor Bug", function () {
let WToken, wtoken;
let owner, addr1;
before(async function () {
[owner, addr1] = await ethers.getSigners();
WToken = await ethers.getContractFactory("WToken");
});
it("Should have incorrect name due to constructor bug", async function () {
wtoken = await WToken.deploy("WTK", 18, owner.address);
await wtoken.deployed();
// Check if name is incorrectly set to symbol
expect(await wtoken.name()).to.equal(await wtoken.symbol());
});
});

Output

  • Fail if the contract is correct (name ≠ symbol).

  • Pass if the contract is incorrect (name == symbol).

8. Mitigation

Modify the constructor to correctly accept a name_ parameter and pass it to the ERC20 constructor:

Fixed Code

constructor(string memory name_, string memory symbol_, uint8 decimals_, address owner_)
ERC20(name_, symbol_)
{
_owner = owner_;
_decimals = decimals_;
}

Key Fixes

Added name_ as an explicit parameter.
Passed name_ instead of symbol_ in ERC20(name_, symbol_).
Ensured correct token metadata for wallet and dApp compatibility.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.