Arbitrary owner address in constructor
Summary
The constructor of AaveDIVAWrapper takes owner address as a parameter. If supplied incorrectly, the contract would be unusable, requiring re-deployment.
Vulnerability Details
The constructor of
AaveDIVAWrappercontract's 3rd argument takes the owner address, which is passed to theOwnablecontract's constructor for initialization.The deployment script (
deployAaveDIVAWrapper.ts) contains an address as the owner, which seems to be valid only for the Sepolia testnet (https://sepolia.etherscan.io/address/0x9AdEFeb576dcF52F5220709c1B267d89d5208D78)The owner addresses would first need to be determined for every chain, and things can go wrong with that. While the
Ownable2Stepcontract provides some security when the owner is changed, but it can't help when the owner is initialized for the first time.
Impact
If somehow a wrong owner address is supplied as the constructor parameter, it would remain unnoticed until you try to registerCollateralToken for the first time (the error can easily be identified -
error OwnableUnauthorizedAccount(address account)).
Tools Used
-
Recommendations
Looking at some contract deployments on Sepolia (e.g. https://sepolia.etherscan.io/tx/0x36bc8e11b0dffba58e73b68a0751abd9e733217ff92ab161a4f0de6f453116d5) it seems that the contract creator would be assigned as the owner.
After rearranging the parameters (a suggesstion from another vulnerability that I submitted), simply pass msg.sender to AaveDIVAWrapperCore's constructor:
Constructor of AaveDIVAWapper should be like this then:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.