approveCollateralTokenForAave() has no access control leading to deposit for aave supply disruption.
_aaveV3Pool's allowance for collateralToken is uint256.max when the collateralToken is registered.
Malicious user calls approveCollateralTokenForAave() to set _aaveV3Pool's allowance 0. Due to this _handleTokenOperations()'s aave supply() function will revert.
_handleTokenOperations() is called by _createContingentPool() and _addLiquidity() and these functions won't work properly.
The core functions registerCollateralToken() and addLiquidity() are disrupted.
manual
Grant access modifier to approveCollateralTokenForAave() to set aave allownace 0 by malicious.
Remove all approve() and adds approve() with exact amount before supplying funds to Aave like as following.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.