Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

### [M-2] Infinite Approval Risks in `AaveDIVAWrapperCore._registerCollateralToken`

trepid

Description:
The function _registerCollateralToken grants infinite approvals (type(uint256).max) to both the DIVA Protocol (_diva) and Aave V3 (_aaveV3Pool). While this reduces gas costs for users, it exposes the contract to significant risk if either protocol is compromised. Malicious actors could exploit vulnerabilities in DIVA or Aave to drain all approved tokens from the AaveDIVAWrapper contract.

// In _registerCollateralToken:
_wTokenContract.approve(_diva, type(uint256).max);
_collateralTokenContract.approve(_aaveV3Pool, type(uint256).max);

impact:

  1. Funds Theft: If DIVA or Aave is exploited, attackers can transfer all tokens approved to them.

  2. Protocol Dependency: The security of AaveDIVAWrapper is directly tied to the security of external protocols.

  3. No Time for Mitigation: Users cannot react quickly enough to stop interactions during an active exploit

Proof of Concept:

Recomended Mitigation:

  1. Use finite, Incremental Approvals

  2. Implement a time-lock mechanism for approvals

Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

trepid Submitter
6 months ago
bube Lead Judge
6 months ago
bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.