Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Parameters in the `AaveDIVAWrapper` constructor are passed to `AaveDIVAWrapperCore` in reverse order.

victorzsh

Summary

The AaveDIVAWrapper contract incorrectly initializes its parent contract (AaveDIVAWrapperCore) by reversing the order of the Aave and DIVA protocol addresses. This inversion causes all interactions with Aave V3 to be directed to the DIVA contract (and vice versa), rendering core protocol functionality irreparably broken.

Vulnerability Details

Source Code Reference

The AaveDIVAWrapperCore constructor expects the following parameter order:

constructor(address diva_, address aaveV3Pool_, address owner_)

However, the AaveDIVAWrapper::constructor() provides the Aave and DIVA addresses in reverse order when calling the AaveDIVAWrapperCore::constructor():

constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

By passing _aaveV3Pool as the first argument and _diva as the second, the AaveDIVAWrapper contract ends up assigning:

diva_ = _aaveV3Pool
aaveV3Pool_ = _diva

PoC

Please place the provided file in the project's test directory and ensure that foundry is properly configured before execution.

// SPDX-License-Identifier: MIT

pragma solidity 0.8.26;

import {Test} from "forge-std/Test.sol";

import {AaveDIVAWrapper} from "../src/AaveDivaWrapper.sol";

contract PoC_ConstructorInversion is Test {

address constant AAVE_V3 = 0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2; // AAVE V3 Mainnet Pool

address constant DIVA = 0x2C9c47E7d254e493f02acfB410864b9a86c28e1D; // DIVA Mainnet

address owner = makeAddr("owner");

address constant WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2; // WETH Mainnet

address constant WETH_ATOKEN = 0x4d5F47FA6A74757f35C14fD3a6Ef8E3C9BC514E8; // WETH AToken

uint256 mainnetFork;

string MAINNET_RPC_URL = vm.envString("ETH_RPC_URL");

function setUp() public {

mainnetFork = vm.createFork(MAINNET_RPC_URL);

}

function test_parameterInversionReverts() public {

vm.selectFork(mainnetFork);

// Deploy with inverted parameters (AAVE first, DIVA second)

// According to AaveDIVAWrapper constructor

AaveDIVAWrapper wrapper = new AaveDIVAWrapper(AAVE_V3, DIVA, owner);

// Attempt to call an Aave-specific function through the wrapper

vm.expectRevert(); // Expected to revert due to invalid call to DIVA

wrapper.getAToken(WETH); // WETH address

}

function test_correctParametersWork() public {

vm.selectFork(mainnetFork);

// Deploy with correct parameters (DIVA first, AAVE second)

// According to AaveDIVAWrapperCore constructor

AaveDIVAWrapper wrapper = new AaveDIVAWrapper(DIVA, AAVE_V3, owner);

// Verify successful Aave interaction

address aToken = wrapper.getAToken(WETH);

assertEq(aToken, WETH_ATOKEN); // Valid WETH aToken address

}

Impact:

Aave Interactions Directed to DIVA: All calls to Aave V3 functions (e.g., supply, withdraw, getReserveData) will be sent to the DIVA contract, which lacks these functions. This will revert all protocol operations involving Aave (collateral deposits, withdrawals, yield claims).
DIVA Interactions Directed to Aave: Calls to DIVA Protocol (e.g., createContingentPool, addLiquidity) will be routed to the Aave contract, leading to unintended asset movements or permanent loss of funds.
Protocol Unusable: The wrapper becomes non-functional, as core features (pool creation, liquidity management) will fail catastrophically.

Tools used:

Foundry/Forge: Identified via test failures showing 0x5416eb98 selector errors (mismatched function calls to DIVA).
Manual Code Review: Detected parameter inversion in constructor inheritance

Recommended Mitigation:

Correct Parameter Order in Constructor:
Swap the _aaveV3Pool and _diva parameters in the AaveDIVAWrapper constructor:
- constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}
+ constructor(address _diva, address _aaveV3Pool, address _owner) AaveDIVAWrapperCore(_diva, _aaveV3Pool, _owner) {}

Updates

Lead Judging Commences

bube Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Constructor arguments mismatch

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.