Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Irreversible Collateral Token Registration Creates Persistent Vulnerability to Compromised Tokens

cheatc0d33

Summary

Once a malicious or compromised collateral token has been registered via _registerCollateralToken(), there is no mechanism to remove it from the system. This creates a persistent security risk as malicious tokens remain active indefinitely.

The AaveDIVAWrapper contract allows registration of collateral tokens but lacks a corresponding deregistration function. The token registration is irreversible due to:

The mappings _collateralTokenToWToken and _wTokenToCollateralToken can only be populated, never cleared
Once a token is registered, it remains permanently active for creating new positions
No admin function exists to remove compromised or malicious tokens

https://github.com/Cyfrin/2025-01-diva/blob/main/contracts/src/AaveDIVAWrapperCore.sol#L71

mapping(address => address) private _collateralTokenToWToken;

mapping(address => address) private _wTokenToCollateralToken;

function _registerCollateralToken(address _collateralToken) internal returns (address) {

// Registration logic but no corresponding deregistration function

}

Proof of Concept

A token gets registered through _registerCollateralToken()
The token contract is later compromised or discovered to be malicious
Contract owner has no way to remove or deactivate the compromised token
New positions can still be created with the compromised token indefinitely

Recommendation

Implement a deregistration function with appropriate safety checks:

function deregisterCollateralToken(address _collateralToken) external onlyOwner {

address wToken = _collateralTokenToWToken[_collateralToken];

if (wToken == address(0)) {

revert CollateralTokenNotRegistered();

}

// Safety check for active positions

if (IERC20(wToken).totalSupply() > 0) {

revert ActivePositionsExist();

}

// Remove mappings

delete _collateralTokenToWToken[_collateralToken];

delete _wTokenToCollateralToken[wToken];

emit CollateralTokenDeregistered(_collateralToken, wToken);

}

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[Invalid] No way to remove collateral tokens

This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.