The contract holds a registerCollateralToken
functio to add tokens that can be set as collateral tokens, but lack a function to unregister. If a situation arises in which needed collateral token should be deregisted, e.g faulty token implementation, stablecoin depeg, the protocol will be unable to do so, which may lead to various protocol integration issues inclduing loss of funds for users.
Introduce an admin protected function to unregister tokens.
The functions addLiquidity
, removeLiquidity
, redeemPositionToken
, redeemWToken
interact with diva without enforcing slippage protection. As a result, the user has no control over the amount of tokens returned to them. This can lead to loss of funds especially on chains like Ethereum mainnet where the prevalence of MEV bots is very high.
Introduce minAmountOut paramters that can protect users from slippage.
approveCollateralTokenForAave
may not work for tokens which revert on > type(uint96).max approvalThe _approveCollateralTokenForAave
allows reapproving aave v3 pool to spend type(uint256).max - currentAllowance
. The issue with this is that many popular tokens like UNI and COMP revert if the amount being approved is greater than uint96(-1).
As a result, reapproving these tokens may fail.
Approve to 0 instead first, then approve to max.
Pool operations like addLiquidity
and createContingentPool
will fail if aave's supply cap for the token is reached. In the aave protocol, some assets have borrow or supply caps.Borrowing or supplying beyond this cap is not possible. `the contracts doesn't check that this cap. It also doesn't check if the isFrozen flag is set. If the isFrozen flag is set, deposit will be always revert when attempts is made to deposit into the strategy.
This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.