Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Hardcoded referral code in `IAave.supply` causes users to miss out on potential future rewards.

falsegenius

Vulnerability Details

The current _handleTokenOperations hardcodes the referralCode parameter to 0 in the Aave V3 supply() function.

IAave(_aaveV3Pool).supply(
_collateralToken, // Address of the asset to supply to the Aave reserve.
_collateralAmount, // Amount of asset to be supplied.
address(this), // Address that will receive the corresponding aTokens (`onBehalfOf`).
// Referral supply is currently inactive, you can pass 0 as referralCode. This program may be
// activated in the future through an Aave governance proposal.
@> 0 @audit problem!!
);

While the referral system is currently inactive, Aave's documentation indicates that it may be activated in the future through a governance proposal. By hardcoding referralCode to 0, the integration fails to account for the possibility of future referral rewards.

One of the core features of the AaveDIVAWrapper is the yield generated while the collateral sits idle, which users would benefit from. A hardcoded value would result in users missing out on potential incentives for referring others to the protocol and any missed opportunity for users to maximize their earnings (including potential referral rewards) undermines overall value proposition which is essentially a core goal and promise to users.

Recommendations

Consider allowing users to specify a referral code once the referral system is active.

+ uint256 public referralCode;
+ event ReferralCodeChanged(uint256 oldCode, uint256 newCode)
+ function setReferralCode(uint256 _code) external onlyOwner {
+ referralCode = _code;
+ emit ReferralCodeChanged(referralCode, _code);
+ }
function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {
// Transfer collateral token from the caller to this contract. Requires prior approval by the caller
// to transfer the collateral token to the AaveDIVAWrapper contract.
IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);
IAave(_aaveV3Pool).supply(
_collateralToken, // Address of the asset to supply to the Aave reserve.
_collateralAmount, // Amount of asset to be supplied.
address(this), // Address that will receive the corresponding aTokens (`onBehalfOf`).
// Referral supply is currently inactive, you can pass 0 as referralCode. This program may be
// activated in the future through an Aave governance proposal.
- 0
+ referralCode
);
IWToken(_wToken).mint(address(this), _collateralAmount);
Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

falsegenius Submitter
6 months ago
bube Lead Judge
6 months ago
bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.