tokens with <6 or >18 can be wrongly registered as supported by the AaveDivaWrapper
Summary
A token with unsupported number of decimal by Diva (<6 or >18) may be irreversible wrongly registered as supported collateral in the contract.
Vulnerability Details
The function AaveDivaWrapperCore::_registerCollateralToken is used to register tokens that contract can support. To do this, first checks if the asset is supported by Aave, but doesn't check if it is also supported by Diva on the number of token decimals (Diva supports only tokens between 6 and 18, and cannot create a pool using a token with decimals other than these).
For example in Aave on polygon there is a stablecoin (seems that the protocol mainly uses stable) with 2 decimal called STASIS EURS Token (EURS)
(https://polygonscan.com/token/0xe111178a87a3bff0c8d18decba5798827539ae99
this can be mistakenly registered as supported and since there is no function to revoke them the action is irreversible. A user who wants to create a pool may see unsupported tokens declared as supported.
Impact
Impact is low, the action is irreversible, creates unexpected behavior without consequences.
Tools Used
Manually review
Recommendations
In the AaveDivaWrapperCore::_registerCollateralToken add a check on the decimals of _collateralTokenContract (the aToken):
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.