Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Can't register the Collateral Token that do not have decimal function

bhorprakash

Description

The decimals() function is not a part of the ERC-20 standard, and was added later as an optional extension. As such, some valid ERC20 tokens do not support this interface, so it is unsafe to blindly cast all tokens to this interface, and then call this function.
The ERC-20 standard does not mandate the implementation of symbol() and decimals() functions. If a collateral token does not support these functions, any attempt to retrieve this data in _registerCollateralToken will fail, leading to a contract revert.

IERC20Metadata _collateralTokenContract = IERC20Metadata(

_collateralToken

);

// Deploy a token that represents a wrapped version of the collateral token to be used as proxy collateral in DIVA Protocol.

// The symbol and name of the wToken are derived from the original collateral token, prefixed with 'w' (e.g., wUSDT or wUSDC).

// This naming convention helps in identifying the token as a wrapped version of the original collateral token.

// The wToken decimals are aligned with those of the collateral token and the aToken.

// This contract is set as the owner and has exclusive rights to mint and burn the wToken.

WToken _wTokenContract = new WToken(

string(abi.encodePacked("w", _collateralTokenContract.symbol())),

@=> _collateralTokenContract.decimals(),

address(this) // wToken owner

);

Impact

The function relies on IERC20Metadata to fetch symbol() and decimals() assuming all tokens comply with this extended interface.
A revert due to missing functions could prevent certain ERC-20 tokens from being registered, limiting the system’s flexibility.
This could introduce compatibility issues particularly with tokens that adhere strictly to ERC-20 but do not implement IERC20Metadata.

Recommendation

Fallback Mechanism

Implement a try-catch block or alternative method to handle cases where symbol() or decimals() are missing.
Default to predefined values or allow manual input when the functions are absent.
Pre-validation Before Registration

Verify if a token implements IERC20Metadata before calling its methods.
Use supportsInterface() or a similar method to check for compliance.
Whitelist Approach

Allow only collateral tokens known to have symbol() and decimals(), maintaining a registry of verified tokens.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.