Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Hardcoded Aave Pool Address

sparrow

Summary

The AaveDIVAWrapperCore contract hardcodes the Aave V3 pool address using an immutable variable, violating Aave's recommended practice of using their PoolAddressProvider system for dynamic address resolution.

Vulnerability Details

The contract initializes and stores the Aave pool address as an immutable variable in the constructor:

address private immutable _aaveV3Pool; // Pool contract address
constructor(address diva_, address aaveV3Pool_, address owner_) {
_aaveV3Pool = aaveV3Pool_;
}

This implementation directly contradicts Aave's documentation which states:

"The LendingPoolAddressesProvider is the core registry of the Aave protocol... we recommended you fetch the correct address from the LendingPoolAddressesProvider"

Impact

  • Protocol Breakage Risk: If Aave migrates to a new pool contract, all deployed instances would become permanently broken

  • Upgrade Inability: Requires full redeployment rather than simple configuration update

  • Loss of Yield: Existing positions would be frozen with no migration path

Tools Used

  • Manual code review

  • Aave protocol documentation analysis

Recommendations

  • Follow AAVE's recommendation and use LendingPoolAddressesProvider.getLendingPool() to retrieve the latest pool address before calling it.

Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Immutable Aave pool address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.