Lack of Mechanism to Unregister Collateral Tokens in `AaveDIVAWrapperCore` Contract
Summary
The AaveDIVAWrapperCore contract contains a function to register collateral tokens, which maps these tokens to their wrapped equivalents. However, the contract does not provide a mechanism to unregister a collateral token once it has been registered. This limitation could lead to issues in managing and maintaining the token registry, especially if a token becomes obsolete, deprecated, or compromised.
Vulnerability Details
The _registerCollateralToken function allows the registration of collateral tokens and their corresponding wrapped tokens, but there is no function to reverse or remove this mapping.
Once a token is registered, it permanently remains in the contract’s mappings (collateralTokenToWrappedToken and wrappedTokenToCollateralToken), even if it becomes irrelevant or problematic.
Impact
The inability to unregister tokens leads to bloated mappings and increased complexity for managing tokens.
Tools Used
Manual Review
Recommendations
Implement a function for example unregisterCollateralToken to remove a collateral token and its wrapped equivalent from the mappings and ensure that only authorized addresses can call this function.
Lead Judging Commences
[Invalid] No way to remove collateral tokens
This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.