Aave DIVA Wrapper

Summary

The AaveDIVAWrapper contract experienced issues during the _registerCollateralToken function, mainly due to high gas costs or reverts when deploying new WToken contracts. This could potentially leave the contract unusable if the WToken deployment fails due to gas constraints.

Vulnerability Details

High Gas Costs or Revert:

• The deployment of WToken within the _registerCollateralToken function can result in high gas costs or reverts, locking the execution and making the contract unusable.

Impact

• Functionality: The inability to successfully deploy WToken contracts prevents the AaveDIVAWrapper from registering collateral tokens, disrupting its core functionality.

• Usability: If the WToken deployment fails, it could leave the entire function execution in a locked state, rendering the contract unusable.

• Cost: High gas costs associated with deploying WToken contracts may make the function prohibitively expensive to execute.

Tools Used

Testing and manual review

Recommendations

1. Use a Factory Pattern:

   • Deploy WToken contracts outside of critical transactions.

   • Utilize a factory contract dedicated to deploying WToken contracts.

   Example Factory Pattern:

   contract WTokenFactory {

   event WTokenDeployed(address indexed wTokenAddress, address indexed collateralToken);

   ​

   function deployWToken(address collateralToken) public returns (address) {

   WToken wToken = new WToken(

   string(abi.encodePacked("w", IERC20Metadata(collateralToken).symbol())),

   IERC20Metadata(collateralToken).decimals(),

   msg.sender

   );

   emit WTokenDeployed(address(wToken), collateralToken);

   return address(wToken);

   }

   }