Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

incorrect input addresses in `constructor()`

avci

Summary

incorrect input addresses in constructor()

Vulnerability Details

In AaveDIVAWrapper contract's constructor():

constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

As we can see, the first input parameter is the Aave V3 pool address, and the second parameter is the DIVA protocol address. These values are then passed to the AaveDIVAWrapperCore contract's constructor():

constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) {
// Validate that none of the input addresses is zero to prevent unintended initialization with default addresses.
// Zero address check on `owner_` is performed in the OpenZeppelin's `Ownable` contract.
if (diva_ == address(0) || aaveV3Pool_ == address(0)) {
revert ZeroAddress();
}
// Store the addresses of DIVA Protocol and Aave V3 in storage.
_diva = diva_;
_aaveV3Pool = aaveV3Pool_;
}

However, in the AaveDIVAWrapperCore contract, the first parameter is diva_, and the second is aaveV3Pool_, meaning the order should be reversed.

Impact

This mismatch can cause confusion and require contract redeployment.

Tools Used

Manual Review

Recommendations

ensure the input addresses are passed in the correct way.

Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Constructor arguments mismatch

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.