Aave DIVA Wrapper

Summary

The AaveDIVAWrapper.sol's constructor arguments are provided in the wrong order, causing the DIVA Protocol address and Aave V3 Pool address to be swapped during initialization. This issue results in incorrect storage assignments for these addresses, leading to failed or unexpected behavior when interacting with the DIVA and Aave protocols.

Vulnerability Details

According to the Documentation.md file provided in the contest ReadMe:

To deploy the AaveDIVAWrapper contract, the following parameters must be provided:

• diva_: Address of the DIVA Protocol contract.

• aaveV3_: Address of the Aave V3 contract.

• owner_: Address of the owner of the contract, eligible to claim yield and register collateral tokens.

Execution steps

1. Validate that none of the provided addresses are zero.

2. Set the DIVA Protocol address (_diva) to the provided diva_ address.

3. Set the Aave V3 Pool address (_aaveV3Pool) to the provided aaveV3Pool_ address.

4. Initialize the Ownable contract with the provided owner_ address.

Th issue is that the constructor arguments in AaveDIVAWrapper are provided in the wrong order.

This is the AaveDIVAWrapperCore constructor signature:

But AaveDIVAWrapper calls it as:

First argument should be diva_ but receives _aaveV3Pool.
Second argument should be aaveV3Pool_ but receives _diva.
Third argument (owner_) is correct.

Impact

This will cause all interactions with both DIVA and Aave protocols to fail or behave unexpectedly

Tools Used

Manual review, VSCode

Recommendations

The fix is to change the order of arguments in
AaveDIVAWrapper's constructor to match the parent: