Aave DIVA Wrapper

Summary

There's a mismatch in the order of constructor arguments between AaveDIVAWrapperCore and AaveDIVAWrapper. The contract AaveDIVAWrapperCore expects (address diva_, address aaveV3Pool_, address owner_), while the AaveDIVAWrapper contract passes them as (address _aaveV3Pool, address _diva, address _owner). This causes the wrong addresses to be assigned internally, leading to improper setup.

Vulnerability Details

• AaveDIVAWrapperCore constructor signature:

  constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) { ... }

• AaveDIVAWrapper constructor call:

  constructor(address _aaveV3Pool, address _diva, address _owner)

  AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner)

  { ... }

• Because of the argument ordering mismatch, the _aaveV3Pool passed to AaveDIVAWrapper will get assigned to diva_, and _diva will get assigned to aaveV3Pool_.

• This leads to:

  • AaveDIVAWrapperCore believing that the DIVA Protocol contract is at the address of the Aave Pool.

  • AaveDIVAWrapperCore believing the Aave Pool contract is at the address of the DIVA Protocol.

Impact

• The contract will be initialized with incorrect addresses:

  • Complete DOS of the protocol

  • Will need to redploy a new contract

• While the owner could work around this by reversing the arguments in the setup, the current code in the deployment script deployAaveDIVAWrapper.ts shows that it provides AAVE_V3_POOL first, then DIVA:

And this script with this vulnerability will be used for mainnet deployement.

Tools Used

• Manual code review.

Recommendations

Update AaveDIVAWrapper.sol to match the AaveDIVAWrapperCore constructor argument order: