Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Constructor Parameter Order Mismatch in AaveDIVAWrapper

inallhonesty

Summary

The AaveDIVAWrapper contract passes constructor parameters in an incorrect order to its parent AaveDIVAWrapperCore contract, potentially causing protocol-breaking misassignment of DIVA Protocol and Aave V3 addresses.

Vulnerability Details

AaveDIVAWrapper's constructor:

constructor(address _aaveV3Pool, address _diva, address _owner)
AaveDIVAWrapperCore(_diva, _aaveV3Pool, _owner) {}

Parent contract AaveDIVAWrapperCore's constructor:

constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) {
if (diva_ == address(0) || aaveV3Pool_ == address(0)) {
revert ZeroAddress();
}
_diva = diva_;
_aaveV3Pool = aaveV3Pool_;
}

The first parameter _aaveV3Pool is incorrectly passed as diva_, and second parameter _diva as aaveV3Pool_, swapping critical protocol addresses.

Impact

Impact: Low - It would mess up core functionality, but in 100% of cases will revert because the two contracts (diva and aaveV3Pool) do not share functionality.

Likelihood: High - Anyone that's trying to deploy the AaveDIVAWrapper following the order described in the constructor would deploy it wrong in 100% of cases.

Severity: Medium

Tools Used

Manual code review - Tried to write my own Foundry PoC and spent minutes figuring why everything is wrong.

Recommendations

Align parameter order by changing AaveDIVAWrapper constructor:

-- constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}
++ constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_diva, _aaveV3Pool, _owner) {}
Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Constructor arguments mismatch

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.