HardhatDeFi
15,000 USDC
View results
Submission Details
Severity: high
Invalid

Invalid Logic in Pool creation

Summary

Source: https://github.com/Cyfrin/2025-01-diva/blob/main/contracts/src/AaveDIVAWrapperCore.sol#L150C1-L150C128

The issue lies in using the _collateralTokenToWToken mapping, which maps collateralToken to its corresponding wToken. Instead, the collateralToken address should be directly utilized in the operation.

Vulnerability Details

The code snippet provided contains flawed logic for determining the collateralToken address. Specifically, the contract uses the address of the wToken rather than the intended collateralToken for the given pool. This discrepancy can lead to failures in collateral handling and improper functionality of the protocol.

Impact

  • Failure in collateral calculations: The wrong token being used in calculations or contract logic.

  • Loss of funds or mismanagement: If the protocol processes funds with the incorrect token address, it could cause improper liquidity handling or user losses.

Tools Used

Recommendations

Replace the problematic mapping logic with the appropriate collateralToken address usage. Specifically, update the code to ensure it refers to the correct collateral token address as follows:

// Use the correct collateralToken address

collateralToken: _poolParams.collateralToken,

// Optional Improvement: Maintain a direct mapping for collateralToken-to-wToken only where needed _wTokenToCollateralToken[_wToken] = _poolParams.collateralToken;

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.