Expects decimals() and symbol() Functions to be Implemented
Summary
In AaveDIVAWrapperCore.sol:_registerCollateralToken() expects the collateral token to implement both the decimals() and symbol() functions. However, if these functions are not implemented, the function will revert.
Vulnerability details
In the ERC20 standard states:
symbol
Returns the symbol of the token. E.g. “HIX”.
@>OPTIONAL - This method can be used to improve usability, but interfaces and other contracts MUST NOT expect these values to be present.
decimals
Returns the number of decimals the token uses - e.g. 8, means to divide the token amount by 100000000 to get its user representation.
@> OPTIONAL - This method can be used to improve usability, but interfaces and other contracts MUST NOT expect these values to be present.
https://eips.ethereum.org/EIPS/eip-20
In _registerCollateralToken() function directly calls symbol() and decimals(), assuming they exist:
Root cause
The contract does not check whether the token implements the decimals() and symbol() functions before calling them.
Impact
Low – Most tokens implement these functions, so the likelihood of failure is low. However, the ERC-20 standard explicitly states that they are optional. This means a token can be created without them, and new token implementations or interfaces might omit them while adhering to the standard. Ending up by not being able to be implemented by the protocol.
Recommendations
Check whether these functions are implemented or not.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.