Lack of unregister collateral token and gracefully retire funds.
Summary
AaveDIVAWrapper can register tokens but lack of an unregister and gracefully retire funds.
Vulnerability Details
Diva cannot protect his users by suspending tokens that are too risky or have been hacked as only can register tokens but lack of an unregister and gracefully retire funds.
It relies too much in aave v3 governance that could suspend a token but the process takes always 5 days and depend on the votes, or Diva could not think the same about a risk of a token as aave and can't do anything about it.
The problem is that AaveDIVAWrapper lack of an unregister collateral to handle fast token hacking scenarios or situation when doesn't agree with the risky assessment of aave.
https://github.com/Cyfrin/2025-01-diva/blob/main/contracts/src/AaveDIVAWrapperCore.sol#L71-L121
Impact
In case of a hack to a token, Users will be still able to create pools with
_createContingentPooland Diva will need to wait for aave v3 governance at least 5 days to suspend a tokenIn case the Diva don't have the same risk Assessment as aave, can't do anything to unregister the risky token.
Tools Used
VS Code
Recommendations
add _unregisterCollateralToken function to AaveDIVAWrapper
and remove check to gracefully retire fund in
_removeLiquidity
_redeemWToken
_claimYield
Lead Judging Commences
[Invalid] No way to remove collateral tokens
This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.