HardhatDeFi
15,000 USDC
View results
Submission Details
Severity: low
Valid

Incorrect Constructor Initialization Causes Full DoS (Denial Of Service) in AaveDIVAWrapper

Summary:

The constructor parameters in AaveDIVAWrapper do not match the expected order in AaveDIVAWrapperCore. Specifically, AaveDIVAWrapper passes _aaveV3Pool as the first parameter, but AaveDIVAWrapperCore expects _diva first. This misalignment results in incorrect contract initialization, causing the protocol to be completely non-functional.

Vulnerability Details:

In AaveDIVAWrapper, the constructor is defined as:

constructor(address _aaveV3Pool, address _diva, address _owner)
AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

However, in AaveDIVAWrapperCore, the constructor expects parameters in a different order:

constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) { }

This results in:

  • _aaveV3Pool being incorrectly assigned to diva_

  • _diva being incorrectly assigned to aaveV3Pool_

  • _owner being correctly assigned

Due to this misalignment, all interactions with the contract that depend on _diva or _aaveV3Pool will fail, leading to a full denial of service (DoS) for any protocol functionalities dependent on these addresses.

Impact:

  • Complete DoS of the protocol: Any function calls relying on diva_ or aaveV3Pool_ will fail due to invalid addresses.

  • Fund loss risk: If the contract interacts with external protocols (e.g., Aave), it might send funds to an unintended address, leading to irrecoverable losses.

Proof Of Concept:

  1. Deploy the AaveDIVAWrapper contract with the following parameters:

    • _aaveV3Pool: A valid Aave pool address

    • _diva: A valid DIVA token address

    • _owner: An address you control

  2. Attempt to interact with the contract's functionalities that depend on _diva or _aaveV3Pool.

  3. Observe that the contract fails to execute these functionalities due to incorrect initialization.

Proof Of Code:

  1. Copy the following code to contracts/test/ folder.

  2. Run the following commands to test the vulnerability: `forge

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "forge-std/Test.sol";
import "../src/AaveDIVAWrapper.sol";
import "../src/interfaces/IAave.sol";
import "../src/interfaces/IAaveDIVAWrapper.sol";
import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
contract AaveDIVAWrapperTest is Test {
AaveDIVAWrapper public aaveDIVAWrapper;
address public aaveV3Pool = 0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2;
address public diva = 0x2C9c47E7d254e493f02acfB410864b9a86c28e1D;
address public owner = 0x0a7B725F595F44d38b1c16091EDE5945aF4De9FE;
address public owner1 = makeAddr("owner");
address public usdc = 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48;
address public alice = makeAddr("alice");
address public longRecipient = makeAddr("long");
address public shortRecipient = makeAddr("short");
address public dataprovider = makeAddr("dataprovider");
address public NFT = makeAddr("NFT");
function setUp() public {
// Fork the mainnet
vm.createSelectFork("https://eth.llamarpc.com");
aaveDIVAWrapper = new AaveDIVAWrapper(aaveV3Pool, diva, owner);
}
function test_DIVAWrapperFullDos() public {
vm.startPrank(owner);
vm.expectRevert();
aaveDIVAWrapper.registerCollateralToken(usdc);
vm.stopPrank();
}
}

Tools Used:

  • Manual code review

  • Foundry

Recommended Mitigation:

Update the constructor in AaveDIVAWrapper to pass parameters in the correct order:

contract AaveDIVAWrapper is AaveDIVAWrapperCore, ReentrancyGuard
- constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}
+ constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_diva, _aaveV3Pool, _owner) {}
Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Constructor arguments mismatch

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.