Aave DIVA Wrapper

Summary

This audit evaluates the _approveCollateralTokenForAave function in the AaveDIVAWrapper contract, which manages collateral token approvals for Aave V3. The primary focus is on ensuring compatibility with various ERC-20 tokens, particularly those with non-standard approval behaviors, such as USDT.

Vulnerability Details

The function currently uses safeIncreaseAllowance from OpenZeppelin’s SafeERC20 library to adjust token allowances. However, some tokens, including USDT, require allowances to be set to zero before a new approval is granted. The absence of this reset mechanism may lead to transaction failures when interacting with these tokens.

Tokens like USDT enforce a rule where an existing nonzero allowance must be explicitly set to 0 before a new nonzero value can be approved. Since safeIncreaseAllowance does not handle this case, transactions could revert when attempting to approve USDT.

Impact

The current implementation may cause approval failures for collateral tokens like USDT, preventing deposits into Aave V3. This could disrupt contract functionality and user experience by making certain stablecoins unusable.

Tools Used

• Manual code review for logic and security vulnerabilities

• OpenZeppelin documentation to verify ERC-20 token approval behaviors

Recommendations

To ensure compatibility with all supported collateral tokens, replace safeIncreaseAllowance with forceApprove, which first resets the allowance to 0 before setting the new value:

Justification

• Ensures compatibility with tokens like USDT that require an explicit zero-reset before increasing the allowance.

• Prevents transaction reverts caused by restrictive ERC-20 implementations.

• Maintains security while improving contract usability.