HardhatDeFi
15,000 USDC
View results
Submission Details
Severity: low
Invalid

Shadowing of State Variables in AaveDIVAWrapper Constructor

AaveDIVAWrapper Shadowing Vulnerability Report

Summary

The constructor of the AaveDIVAWrapper contract has local variables that shadow state variables from its parent contract, AaveDIVAWrapperCore. The local variables _aaveV3Pool and _diva in the AaveDIVAWrapper constructor have the same names as the state variables in AaveDIVAWrapperCore. This shadowing can lead to confusion and potential errors in contract execution, as it may not be clear which variables are being referenced in certain parts of the contract.

Vulnerability Details

  • Vulnerable Contract: AaveDIVAWrapper (inherits from AaveDIVAWrapperCore)

  • Function: Constructor

  • Line of Occurrence: Line 12 in AaveDIVAWrapper.sol

  • Description: The constructor of AaveDIVAWrapper defines local variables named _aaveV3Pool and _diva, which shadow the state variables of the same names in AaveDIVAWrapperCore. This shadowing can cause confusion when accessing state variables, as the local variables may take precedence within the constructor, potentially leading to errors.

// Constructor of AaveDIVAWrapper with shadowing
constructor(address aaveV3PoolAddress, address divaAddress, address shortTokenAddress) {
_aaveV3Pool = aaveV3PoolAddress; // Local variable shadows state variable
_diva = divaAddress; // Local variable shadows state variable
}

POC

contract AaveDIVAWrapper is AaveDIVAWrapperCore {
constructor(address aaveV3PoolAddress, address divaAddress, address shortTokenAddress)
AaveDIVAWrapperCore(aaveV3PoolAddress, divaAddress, shortTokenAddress)
{
_aaveV3Pool = aaveV3PoolAddress; // Shadows _aaveV3Pool in AaveDIVAWrapperCore
_diva = divaAddress; // Shadows _diva in AaveDIVAWrapperCore
}
}

Impact
Confusion and Ambiguity: Shadowing state variables can create confusion regarding which variables are being accessed. This makes the code harder to maintain and can lead to unintended behavior if developers mistakenly modify or access the wrong variables.
Potential Errors: Shadowing could lead to the modification of the wrong state variables if the developer is unaware of the local shadowing, causing bugs that may be hard to detect.
Code Maintainability Issues: The shadowing makes the code less readable and maintainable, increasing the risk of future developers introducing errors unknowingly.
Tools Used
Slither: Used to identify local variable shadowing in the smart contract code. Slither provides a detailed report of the detected vulnerabilities and potential issues in Solidity code.
Solidity: Used for writing the smart contracts and demonstrating the vulnerability.
Recommendations
Rename Local Variables: Avoid using the same names for local variables as state variables to prevent shadowing. Consider renaming the constructor parameters, for example, aavePoolAddress and divaAddress.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.