Potential symbol conflicts
Summary
The _registerCollateralToken function in the AaveDIVAWrapperCore contract generates a wrapped token (WToken) symbol by prefixing the original collateral token's symbol with "w". However, this approach can lead to ambiguity in environments like Arbitrum, where multiple tokens (e.g., USDC and USDC.e) share the same symbol ("USDC"). This results in identical WToken symbols, making it impossible to distinguish between the wrapped versions of these tokens.
Vulnerability Details
In Arbitrum, tokens like USDC (native) and USDC.e (bridged) share the same symbol value ("USDC").
USDC: https://arbiscan.io/address/0xaf88d065e77c8cc2239327c5edb3a432268e5831#readProxyContract
USDC.e: https://arbiscan.io/address/0xff970a61a04b1ca14834a43f5de4533ebddb5cc8#readProxyContract
When _registerCollateralToken generates a WToken symbol by simply prefixing the original token's symbol with "w", both USDC and USDC.e would result in the same WToken symbol ("wUSDC").
This creates ambiguity, as the WToken symbol no longer uniquely identifies the underlying collateral token.
Impact
Users and contracts interacting with the WToken would be unable to distinguish between wrapped versions of USDC and USDC.e. This could lead to confusion, misallocations, or even financial losses if users mistakenly interact with the wrong WToken.
The impact is Low, the likelihood is High, so the severity is Medium.
Tools Used
Manual Review
Recommendations
Add a new parameter string memory _wTokenSymbol to the _registerCollateralToken function, allowing the caller to specify the symbol for the WToken.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.