Lack of Collateral Token Deregistration Mechanism
Summary
The protocol lacks a function to remove or deregister collateral tokens once they are registered via _registerCollateralToken. This omission creates operational risks, including reliance on deprecated/invalid tokens and bloated storage.
Vulnerability Details
The _registerCollateralToken function allows the owner to map a collateral token to a wrapped token (wToken), but there is no corresponding unregisterCollateralToken function.
Once registered, a collateral token remains permanently in the
_collateralTokenToWTokenand_wTokenToCollateralTokenmappings.
If a collateral token becomes obsolete (e.g., Aave removes support, token contract is upgraded), the protocol cannot stop users from interacting with it via createContingentPool.
Impact
deprecated tokens remain active and governance cant react to token changes or regulatory demands
Tools Used
Manual review
Recommendations
Implement an unregisterCollateralToken function with onlyOwner access.
Lead Judging Commences
[Invalid] No way to remove collateral tokens
This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.