Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

ERC20 constructor allows same symbol for name and symbol

safdie

Summary

The constructor in the `WToken` contract assigns the same value to both the token name and the token symbol. While this might not inherently lead to a vulnerability, it can create issues in certain scenarios where there is a need to differentiate between the token's "name" and "symbol". In particular, a poorly designed naming convention can lead to confusion, inefficiencies in tracking, and potential errors in systems interacting with the token, such as wallets or exchanges.

Vulnerability Details

The constructor code provided is:

https://github.com/Cyfrin/2025-01-diva/blob/5b7473c13adf54a4cd1fd6b0f37ab6529c4487dc/contracts/src/WToken.sol#L14-L18

constructor(string memory symbol_, uint8 decimals_, address owner_) ERC20(symbol_, symbol_) {

// name = symbol for simplicity

_owner = owner_;

_decimals = decimals_;

}

In the constructor, both the name and symbol of the ERC20 token are being set to the same value, passed as symbol_.

The token’s name is typically intended to be a human-readable name (e.g., "Wrapped Bitcoin"), whereas the symbol is a short code (e.g., "WBTC").

Setting both the name and symbol to the same value may lead to confusion and problems when interacting with wallets, exchanges, or dApps that expect these to be different.

Impact

While this isn't necessarily a severe security vulnerability (e.g., no immediate risks like reentrancy or overflow), it could cause confusion or errors in external systems such as:

Wallets: Wallet interfaces that expect name and symbol to differ might display confusing information.
Exchanges: When interacting with token listings or during the creation of token pairs, exchanges might face difficulties in properly labeling the token.
User experience: End users may be confused about the difference between the name and symbol of the token.

In the worst case, it could result in a poor user experience, as some wallets, apps, or services may expect a different name and symbol to appear.

Tools Used

Manual review.

Recommendations

Assign a different value to name_ and symbol_ parameters in the constructor to provide clarity and avoid potential conflicts with other services or systems interacting with the token.

constructor(string memory name_, string memory symbol_, uint8 decimals_, address owner_) ERC20(name_, symbol_) {

// Setting name and symbol to be different

_owner = owner_;

_decimals = decimals_;

}

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.