Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Shadowing of State Variables in AaveDIVAWrapper Constructor

sidanaarmaan2003

AaveDIVAWrapper Shadowing Vulnerability Report

Summary

The constructor of the AaveDIVAWrapper contract has local variables that shadow state variables from its parent contract, AaveDIVAWrapperCore. The local variables _aaveV3Pool and _diva in the AaveDIVAWrapper constructor have the same names as the state variables in AaveDIVAWrapperCore. This shadowing can lead to confusion and potential errors in contract execution, as it may not be clear which variables are being referenced in certain parts of the contract.

Vulnerability Details

Vulnerable Contract: AaveDIVAWrapper (inherits from AaveDIVAWrapperCore)
Function: Constructor
Line of Occurrence: Line 12 in AaveDIVAWrapper.sol
Description: The constructor of AaveDIVAWrapper defines local variables named _aaveV3Pool and _diva, which shadow the state variables of the same names in AaveDIVAWrapperCore. This shadowing can cause confusion when accessing state variables, as the local variables may take precedence within the constructor, potentially leading to errors.

// Constructor of AaveDIVAWrapper with shadowing

constructor(address aaveV3PoolAddress, address divaAddress, address shortTokenAddress) {

_aaveV3Pool = aaveV3PoolAddress; // Local variable shadows state variable

_diva = divaAddress; // Local variable shadows state variable

}

POC

contract AaveDIVAWrapper is AaveDIVAWrapperCore {

constructor(address aaveV3PoolAddress, address divaAddress, address shortTokenAddress)

AaveDIVAWrapperCore(aaveV3PoolAddress, divaAddress, shortTokenAddress)

{

_aaveV3Pool = aaveV3PoolAddress; // Shadows _aaveV3Pool in AaveDIVAWrapperCore

_diva = divaAddress; // Shadows _diva in AaveDIVAWrapperCore

}

Impact
Confusion and Ambiguity: Shadowing state variables can create confusion regarding which variables are being accessed. This makes the code harder to maintain and can lead to unintended behavior if developers mistakenly modify or access the wrong variables.
Potential Errors: Shadowing could lead to the modification of the wrong state variables if the developer is unaware of the local shadowing, causing bugs that may be hard to detect.
Code Maintainability Issues: The shadowing makes the code less readable and maintainable, increasing the risk of future developers introducing errors unknowingly.
Tools Used
Slither: Used to identify local variable shadowing in the smart contract code. Slither provides a detailed report of the detected vulnerabilities and potential issues in Solidity code.
Solidity: Used for writing the smart contracts and demonstrating the vulnerability.
Recommendations
Rename Local Variables: Avoid using the same names for local variables as state variables to prevent shadowing. Consider renaming the constructor parameters, for example, aavePoolAddress and divaAddress.

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.