The AaveDIVAWrapper contract does not include functionality to unregister collateral tokens once they are added through the registerCollateralToken function. This design choice leads to permanent registration of tokens, which might not be ideal for long-term maintenance, security updates, or when dealing with tokens that could become problematic.
Location: AaveDIVAWrapperCore.sol
Functions Affected: _registerCollateralToken
Description:
The contract uses mappings _collateralTokenToWToken
and _wTokenToCollateralToken
to associate collateral tokens with their corresponding wrapped tokens(wTokens).
Once a token is registered via _registerCollateralToken, there's no corresponding function like _unregisterCollateralToken to remove these associations.
This means that tokens, once registered, remain so indefinitely, even if there's a need to cease support due to security issues, regulatory changes, or token deprecation.
Operational Inflexibility: The protocol cannot adapt to changes in token standards or security without redeploying the contract or implementing complex workarounds.
Security Exposure: If a registered token becomes compromised, the protocol would continue to support it, potentially exposing users to risks or requiring additional measures to disable its use within the system.
User Experience: Users might face continued support for tokens they no longer wish to interact with, affecting trust and usability.
Manual review
Add a function like unregisterCollateralToken
:
Ensure this function removes or updates any related state or permissions.
This is invalid. If the collateral token is not supported by Aave or invalid, the `registerCollateralToken` will revert. If the collateral token is deprecated by Aave due to a given issue, this is known issue: "Integration risk with both Aave V3 and DIVA Protocol - vulnerabilities in either protocol may affect AaveDIVAWrapper."
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.