Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Unable to handle upgradable token like usdc

zukanopro

Vulnerability Details

Function _registerCollateralToken()create wtoken based on token decimals:

WToken _wTokenContract = new WToken(

string(abi.encodePacked("w", _collateralTokenContract.symbol())),

_collateralTokenContract.decimals(), // <--

address(this) // wToken owner

);

But if token decimals update (like usdc), it will lead to chaotic for people who deposit token to protocol before and after, because wtoken is minted based on token deposit:

function _handleTokenOperations(address _collateralToken, uint256 _collateralAmount, address _wToken) private {

// Transfer collateral token from the caller to this contract. Requires prior approval by the caller

// to transfer the collateral token to the AaveDIVAWrapper contract.

IERC20Metadata(_collateralToken).safeTransferFrom(msg.sender, address(this), _collateralAmount);

// Supply the collateral token to Aave and receive aTokens. Approval to transfer the collateral token from this contract

// to Aave was given when the collateral token was registered via `registerCollateralToken` or when the

// allowance was set via `approveCollateralTokenForAave`.

IAave(_aaveV3Pool).supply(

_collateralToken, // Address of the asset to supply to the Aave reserve.

_collateralAmount, // Amount of asset to be supplied.

address(this), // Address that will receive the corresponding aTokens (`onBehalfOf`).

0 // Referral supply is currently inactive, you can pass 0 as referralCode. This program may be activated in the future through an Aave governance proposal.

);

// Mint wTokens associated with the supplied asset, used as a proxy collateral token in DIVA Protocol.

// Only this contract is authorized to mint wTokens.

IWToken(_wToken).mint(address(this), _collateralAmount); // <--

}

For example:

User A deposit 10 usdc (10 . 10^6 token), receive back 10 . 10^6 wtoken
after upgrade, decimals is 8, user B deposit 10 usdc ( 10 . 10^8) token, receive back 10. 10^8 wtoken

Recommendations

Handle cases when token is upgradable.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.