Aave DIVA Wrapper

Summary

The AaveDIVAWrapper contract does not include functionality to unregister collateral tokens once they are added through the registerCollateralToken function. This design choice leads to permanent registration of tokens, which might not be ideal for long-term maintenance, security updates, or when dealing with tokens that could become problematic.

Vulnerability Details

• Location: AaveDIVAWrapperCore.sol

• Functions Affected: _registerCollateralToken

Description:

• The contract uses mappings _collateralTokenToWToken and _wTokenToCollateralToken to associate collateral tokens with their corresponding wrapped tokens(wTokens).

• Once a token is registered via _registerCollateralToken, there's no corresponding function like _unregisterCollateralToken to remove these associations.

• This means that tokens, once registered, remain so indefinitely, even if there's a need to cease support due to security issues, regulatory changes, or token deprecation.

Impact

• Operational Inflexibility: The protocol cannot adapt to changes in token standards or security without redeploying the contract or implementing complex workarounds.

• Security Exposure: If a registered token becomes compromised, the protocol would continue to support it, potentially exposing users to risks or requiring additional measures to disable its use within the system.

• User Experience: Users might face continued support for tokens they no longer wish to interact with, affecting trust and usability.

Tools Used

Manual review

Recommendations

• Add a function like unregisterCollateralToken:

  function _unregisterCollateralToken(address _collateralToken) internal {

  address _wToken = _collateralTokenToWToken[_collateralToken];

  delete _collateralTokenToWToken[_collateralToken];

  delete _wTokenToCollateralToken[_wToken];

  // Additional logic to handle any existing pools or balances if necessary

  }

• Ensure this function removes or updates any related state or permissions.