Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unsafe ERC20 Operations, AaveDIVAWrapperCore.sol

hawks

Summary

The contract AaveDIVAWrapperCore.sol imports the OpenZeppelin SafeERC20 library but does not use it in the functions, Instead, standard ERC20 functions are called directly, such as approve and transferFrom.

import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

Vulnerability Details

This is a potential issue as ERC20 functions may not behave as expected. For instance, return values of ERC20 functions are not always meaningful or reliable, leading to potential unexpected behavior or vulnerabilities in token handling.

_wTokenContract.approve(_diva, type(uint256).max);
_collateralTokenContract.approve(_aaveV3Pool, type(uint256).max);
_shortTokenContract.transferFrom(msg.sender /** from */, address(this) /** to */, _positionTokenAmountToRemove);
_longTokenContract.transferFrom(msg.sender /** from */, address(this) /** to */, _positionTokenAmountToRemove);

Impact

By not using SafeERC20, the contract may:

Encounter unexpected behavior due to non-standard ERC20 implementations that fail silently.

Risk potential security vulnerabilities if tokens behave unexpectedly in edge cases, such as malicious token contracts exploiting the behavior

Tools Used

Manual review

Recommendations

It is recommended to use OpenZeppelin's SafeERC20 library.

_wTokenContract.safeApprove(_diva, type(uint256).max);
_collateralTokenContract.safeApprove(_aaveV3Pool, type(uint256).max);
_shortTokenContract.safeTransferFrom(msg.sender /** from */, address(this) /** to */, _positionTokenAmountToRemove);
_longTokenContract.safeTransferFrom(msg.sender /** from */, address(this) /** to */, _positionTokenAmountToRemove);
Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.