The constructor of the AaveDIVAWrapper
contract has local variables that shadow state variables from its parent contract, AaveDIVAWrapperCore
. The local variables _aaveV3Pool
and _diva
in the AaveDIVAWrapper
constructor have the same names as the state variables in AaveDIVAWrapperCore
. This shadowing can lead to confusion and potential errors in contract execution, as it may not be clear which variables are being referenced in certain parts of the contract.
Vulnerable Contract: AaveDIVAWrapper
(inherits from AaveDIVAWrapperCore
)
Function: Constructor
Line of Occurrence: Line 12 in AaveDIVAWrapper.sol
Description: The constructor of AaveDIVAWrapper
defines local variables named _aaveV3Pool
and _diva
, which shadow the state variables of the same names in AaveDIVAWrapperCore
. This shadowing can cause confusion when accessing state variables, as the local variables may take precedence within the constructor, potentially leading to errors.
POC
Impact
Confusion and Ambiguity: Shadowing state variables can create confusion regarding which variables are being accessed. This makes the code harder to maintain and can lead to unintended behavior if developers mistakenly modify or access the wrong variables.
Potential Errors: Shadowing could lead to the modification of the wrong state variables if the developer is unaware of the local shadowing, causing bugs that may be hard to detect.
Code Maintainability Issues: The shadowing makes the code less readable and maintainable, increasing the risk of future developers introducing errors unknowingly.
Tools Used
Slither: Used to identify local variable shadowing in the smart contract code. Slither provides a detailed report of the detected vulnerabilities and potential issues in Solidity code.
Solidity: Used for writing the smart contracts and demonstrating the vulnerability.
Recommendations
Rename Local Variables: Avoid using the same names for local variables as state variables to prevent shadowing. Consider renaming the constructor parameters, for example, aavePoolAddress and divaAddress.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.