Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect Constructor Argument Order in AaveDIVAWrapper Contract

0xsolus

Summary

The constructor in AaveDIVAWrapper contract, does not use the expected order
of arguments defined in AaveDIVAWrapperCore. Leading to incorrect initialization
of _diva and _aaveV3Pool state variables.

Vulnerability Details

AaveDIVAWrapperis initialized with the following arguments:

//@audit Incorrect order of arguments for AaveDIVAWrapperCore.
// _aaveV3Pool and _diva should swap positions.
constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

But, if we check AaveDIVAWrapperCore, the first argument is the address of the diva_protocol and the second argument is the address of `aaveV3Pool` .

constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) {
// Validate that none of the input addresses is zero to prevent unintended initialization with default addresses.
// Zero address check on `owner_` is performed in the OpenZeppelin's `Ownable` contract.
if (diva_ == address(0) || aaveV3Pool_ == address(0)) {
revert ZeroAddress();
}
// Store the addresses of DIVA Protocol and Aave V3 in storage.
_diva = diva_;
_aaveV3Pool = aaveV3Pool_;
}

Impact

In first place, this will cause to redeploy the contract as there's no implemented setters to change this state variables. Furthermore, registerCollateralToken()will always revert in this case and render the contract unusable.

Tools Used

Manual analysis.

Recommendations

Use the correct order of arguments in the constructor of AaveDIVAWrapper.

constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_diva, _aaveV3Pool, _owner) {}
Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Constructor arguments mismatch

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.