Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

AaveDIVAWrapper::approveCollateralTokenForAave is publicly callable

sabanaku77

Summary

The approveCollateralTokenForAave function lacks appropriate access controls, allowing any external account to invoke the function.

Vulnerability Details

  1. Lack of Access Control:

    • The function is marked as external, which makes it callable by any account outside the contract.

    • There is no restriction mechanism such as onlyOwner or role-based access control to limit who can call this function.

  2. Delegation to Internal Function:

    • The function delegates the actual logic to _approveCollateralTokenForAave. However, the lack of safeguards in the parent function leaves it exposed to misuse.

Impact

  • Unintended State Changes:

    • Any user can re-approve tokens, possibly altering the contract's intended interactions with Aave.

  • Loss of Integrity:

    • The unrestricted nature of this function undermines the integrity of the contract and may lead to unintended or malicious outcomes.

Tools Used

  • Manual code review of the provided smart contract.

Recommendations

  1. Implement Access Control:

    • Use onlyOwner or role-based access control to restrict access to the function.

    • Example:

      function approveCollateralTokenForAave(address _collateralToken) external onlyOwner {
      _approveCollateralTokenForAave(_collateralToken);
      }
Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.