Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Unverified ERC-20 Metadata Calls Leading to Potential Overflows and Reverts

nitinaimshigh

Summary

The _registerCollateralToken() function retrieves ERC-20 metadata (symbol(), decimals()) without verifying their correctness. This introduces critical risks, including unexpected contract reverts, integer overflows, and incorrect token conversions. Malicious or non-standard ERC-20 tokens can return unexpected values, leading to protocol disruption or financial loss

Vulnerability Details

Issue: The function assumes all ERC-20 tokens correctly implement symbol() and decimals(), but many tokens do not follow the ERC-20 metadata standard.

Risk of Reverts: Some tokens lack symbol() and decimals() functions, causing the transaction to fail entirely.
Risk of Overflows: A malicious token could return decimals = 255, causing integer overflow when performing calculations in WToken.
Unexpected Symbol Manipulation: A token could return a very long symbol, exceeding Solidity’s string limitations, causing unexpected behavior in storage or logs.

A malicious token contract could be deployed with the following non-standard implementation:

contract MaliciousToken {

function symbol() public pure returns (string memory) {

revert("Symbol function disabled");

}

function decimals() public pure returns (uint8) {

return 255; // Causes overflow in downstream contracts

}

Impact:

If symbol() reverts, _registerCollateralToken() fails entirely, making the protocol unable to register new collateral tokens.
If decimals() returns 255, arithmetic operations may break calculations, causing token inflation or incorrect balances.

Impact

Unauthorized function calls and unvalidated ERC-20 metadata can lead to operational risks, financial loss, and protocol integrity issues.

Tools Used

Testing and Manual Review

Recommendations

Before creating WToken, verify that _collateralToken is valid and safe:

require(_getAToken(_collateralToken) != address(0), "Unsupported collateral token");

require(IERC20(_collateralToken).totalSupply() > 0, "Invalid ERC-20 token");

Ensures the token actually exists and is supported

Updates

Lead Judging Commences

bube Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.