Aave DIVA Wrapper

Summary

The function _approveCollateralTokenForAave incorrectly utilizes OpenZeppelin’s safeIncreaseAllowance method to approve allowances for tokens such as USDT on Ethereum. This method fails to reset allowances to zero before setting a new value, which violates the security requirements of non-compliant ERC20 tokens like legacy USDT. As a result, transactions involving these tokens will revert.

Vulnerability Details

Affected Code:

Root Cause:

• Non-Compliant Token Behavior: Tokens like legacy USDT enforce a security check that reverts transactions if the allowance is modified from a non-zero value without first resetting it to zero.

• safeIncreaseAllowance Mechanism: This method reads the current allowance, increments it, and calls approve with the new total. It does not reset the allowance to zero first, making it incompatible with non-standard tokens.

Impact

• Critical Protocol Failure: Transactions involving non-compliant tokens (e.g., USDT) will revert, preventing the protocol from approving allowances for Aave V3 interactions.

• Operational Disruption: Users cannot deposit or manage collateral tokens that follow this non-standard behavior, significantly degrading protocol functionality.

Tools Used

• Manual Code Review

Recommendations

To address this issue, replace the use of safeIncreaseAllowance with a two-step approval process:

1. Reset Allowance to Zero: First, set the allowance to zero to comply with the requirements of non-compliant tokens.

2. Set New Allowance: After resetting, set the allowance to the desired value.

Here’s an example implementation:

This approach ensures compatibility with both standard and non-compliant ERC20 tokens, preventing transaction reverts and maintaining protocol functionality.