HardhatDeFi
15,000 USDC
View results
Submission Details
Severity: low
Valid

Wrong constructor parameters order

Summary

The AaveDIVAWrapper contract incorrectly invokes the AaveDIVAWrapperCore constructor with mismatched parameter ordering. This can lead to the contract being initialized with the wrong addresses for the DIVA Protocol and Aave V3 Pool, potentially causing malfunctions and unexpected behavior.

Vulnerability Details

The vulnerability stems from an inconsistency in how the constructor parameters are ordered between the AaveDIVAWrapperCore contract and the AaveDIVAWrapper contract that inherits from it.

In AaveDIVAWrapperCore.sol, the constructor is defined with the following parameter order:

// SPDX-License-Identifier: MIT
pragma solidity 0.8.26;
// ...
abstract contract AaveDIVAWrapperCore is IAaveDIVAWrapper, Ownable2Step {
// ...
constructor(
address diva_,
address aaveV3Pool_,
address owner_
) Ownable(owner_) {
// ...
_diva = diva_;
_aaveV3Pool = aaveV3Pool_;
}
// ...
}

However, when AaveDIVAWrapper invokes the AaveDIVAWrapperCore constructor in AaveDIVAWrapper.sol, it uses a different parameter order:

// SPDX-License-Identifier: MIT
pragma solidity 0.8.26;
import {AaveDIVAWrapperCore} from "./AaveDIVAWrapperCore.sol";
import {ReentrancyGuard} from "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
contract AaveDIVAWrapper is AaveDIVAWrapperCore, ReentrancyGuard {
constructor(address _aaveV3Pool, address _diva, address _owner)
AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}
// ...
}

As you can see, the _aaveV3Pool and _diva parameters are swapped in the AaveDIVAWrapper constructor compared to the order expected by AaveDIVAWrapperCore.

This mismatch can lead to the AaveDIVAWrapperCore contract being initialized with the wrong addresses. Specifically:

  • _aaveV3Pool from AaveDIVAWrapper will be assigned to diva_ in AaveDIVAWrapperCore

  • _diva from AaveDIVAWrapper will be assigned to aaveV3Pool_ in AaveDIVAWrapperCore

Only the _owner parameter is passed correctly due to its position as the last argument in both constructors.

Impact

The impact of this vulnerability is that the AaveDIVAWrapperCore contract, which forms the core logic of the system, will be initialized with incorrect addresses for the DIVA Protocol and Aave V3 Pool.

Similarly, when the AaveDIVAWrapperCore contract is set up with the wrong addresses, it might seem to deploy and operate normally at first. But under the hood, it's interacting with the wrong external contracts. This could lead to a range of issues, such as:

  • Transactions being sent to incorrect destinations

  • Failures when trying to interact with the intended DIVA Protocol or Aave V3 Pool

  • Unexpected errors or strange behavior in functions that rely on these external interactions

  • Potential loss of funds if tokens are mistakenly sent to the wrong places

The exact impact would depend on how the AaveDIVAWrapper is used within the larger system and what capabilities it has. But in a worst-case scenario, this mixup could cause a significant portion of the system to malfunction or produce incorrect results.

Tools Used

The vulnerability was identified through manual code review and analysis. No automated tools were necessary, as the issue is apparent from comparing the constructor parameter ordering in the relevant contracts.

Recommendations

To mitigate this vulnerability, the constructor in AaveDIVAWrapperCore should be updated to match the parameter order used in the AaveDIVAWrapper constructor:

- constructor(
- address diva_,
- address aaveV3Pool_,
- address owner_
- ) Ownable(owner_) {
+ constructor(
+ address aaveV3Pool_,
+ address diva_,
+ address owner_
+ ) Ownable(owner_) {
// ...
_diva = diva_;
_aaveV3Pool = aaveV3Pool_;
}

By aligning the parameter order, the AaveDIVAWrapperCore contract will be initialized with the correct addresses when invoked from AaveDIVAWrapper, ensuring the system interacts with the intended external contracts.

Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Constructor arguments mismatch

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.