HardhatDeFi
15,000 USDC
View results
Submission Details
Severity: low
Invalid

Unable to handle upgradable token like usdc

Vulnerability Details

Function _registerCollateralToken()create wtoken based on token decimals:

WToken _wTokenContract = new WToken(
string(abi.encodePacked("w", _collateralTokenContract.symbol())),
_collateralTokenContract.decimals(), // <--
address(this) // wToken owner
);

But if token decimals update (like usdc), it will lead to chaotic for people who deposit token to protocol before and after, because wtoken is minted based on token deposit:

function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {
// Transfer collateral token from the caller to this contract. Requires prior approval by the caller
// to transfer the collateral token to the AaveDIVAWrapper contract.
IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);
// Supply the collateral token to Aave and receive aTokens. Approval to transfer the collateral token from this contract
// to Aave was given when the collateral token was registered via `registerCollateralToken` or when the
// allowance was set via `approveCollateralTokenForAave`.
IAave(_aaveV3Pool).supply(
_collateralToken, // Address of the asset to supply to the Aave reserve.
_collateralAmount, // Amount of asset to be supplied.
address(this), // Address that will receive the corresponding aTokens (`onBehalfOf`).
0 // Referral supply is currently inactive, you can pass 0 as referralCode. This program may be activated in the future through an Aave governance proposal.
);
// Mint wTokens associated with the supplied asset, used as a proxy collateral token in DIVA Protocol.
// Only this contract is authorized to mint wTokens.
IWToken(_wToken).mint(address(this), _collateralAmount); // <--
}

For example:

  • User A deposit 10 usdc (10 . 10^6 token), receive back 10 . 10^6 wtoken

  • after upgrade, decimals is 8, user B deposit 10 usdc ( 10 . 10^8) token, receive back 10. 10^8 wtoken

Recommendations

Handle cases when token is upgradable.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.