Aave DIVA Wrapper

Summary

The AaveDIVAWrapper contract experienced a revert during the _registerCollateralToken function. This revert was caused by a logical bug and lack of access control, preventing successful execution and potentially allowing unauthorized users to call the function.

Vulnerability Details

1. Logical Bug:

   • The function _registerCollateralToken was reverting after the sha256 precompile call.

   • The exact cause of the revert needed detailed logging and analysis.

2. Lack of Access Control:

   • The function lacked proper access control, allowing any caller to invoke it.

   • Missing access control increases the risk of unauthorized function calls.

Impact

• Functionality: The revert prevents successful execution of _registerCollateralToken, hindering normal contract operations.

• Security: Without access control, unauthorized users can invoke the function, which can disrupt normal operations and lead to potential misuse.

• User Experience: Users might face issues interacting with the protocol, leading to a lack of trust and potential financial implications if the contract fails to perform as expected.

Tools Used

Thorough testing and manual review

Recommendations

Implement Access Control:

• Use OpenZeppelin's Ownable contract and the onlyOwner modifier to restrict access to _registerCollateralToken.

• Ensure only authorized users can call critical functions.