Summary
Mismatch of constructor parameters between the AaveDIVAWrapper and AaveDIVAWrapperCore contracts leads to the unavailability of integration with the DIVA and Aave.
Vulnerability Details
When deploying the AaveDIVAWrapper contract, the constructor accepts arguments and passes them to the AaveDIVAWrapperCore contract in the following sequence:
address _aaveV3Pool, address _diva, address _owner
contract AaveDIVAWrapper is AaveDIVAWrapperCore, ReentrancyGuard {
CONSTRUCTOR
@> constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}
...
}
But the constructor of the AaveDIVAWrapperCore contract expects a different sequence of arguments:
address diva_, address aaveV3Pool_, address owner_
abstract contract AaveDIVAWrapperCore is IAaveDIVAWrapper, Ownable2Step {
...
CONSTRUCTOR
* @dev Initializes the AaveDIVAWrapper contract with the addresses of DIVA Protocol, Aave V3's Pool
* contract and the owner of the contract.
* @param diva_ Address of the DIVA Protocol contract.
* @param aaveV3Pool_ Address of the Aave V3 Pool contract.
* @param owner_ Address of the owner for the contract, who will be entitled to claim the yield.
* Retrievable via Ownable's `owner()` function or this contract's `getContractDetails` functions.
*/
@> constructor(address diva_, address aaveV3Pool_, address owner_) Ownable(owner_) {
if (diva_ == address(0) || aaveV3Pool_ == address(0)) {
revert ZeroAddress();
}
@> _diva = diva_;
@> _aaveV3Pool = aaveV3Pool_;
}
...
}
In this regard, _diva and _aaveV3Pool are initialized incorrectly, which makes integration with DIVA and Aave unavailable.
P.S.
An example of the error can be seen in deploy/deployAaveDIVAWrapper.ts
const AaveDIVAWrapper =
await hre.ethers.getContractFactory("AaveDIVAWrapper");
const aaveDIVAWrapper = await AaveDIVAWrapper.deploy(
@> AAVE_V3_POOL,
@> DIVA,
OWNER,
);
PoC(foundry)
pragma solidity ^0.8.20;
import {Test} from "forge-std/Test.sol";
import {AaveDIVAWrapper} from "contracts/src/AaveDIVAWrapper.sol";
import {IAave} from "contracts/src/interfaces/IAave.sol";
contract AuditTest is Test {
For PUSH0, you'd need to use at least shanghai. Update your foundry.toml as such:
[profile.default]
evm_version = 'shanghai'
*/
address _owner = makeAddr("owner");
address _diva = 0x2C9c47E7d254e493f02acfB410864b9a86c28e1D;
address _aaveV3Pool = 0x794a61358D6845594F94dc1DB02A252b5b4814aD;
address usdc = 0xaf88d065e77c8cC2239327C5EDb3A432268e5831;
AaveDIVAWrapper wrapper;
function setUp() public {
vm.createSelectFork("https://arb1.arbitrum.io/rpc");
}
function testAudit_deployAaveDIVAWrapper() public {
wrapper = new AaveDIVAWrapper(
_aaveV3Pool,
_diva,
_owner
);
vm.prank(_owner);
vm.expectRevert(
abi.encodeWithSignature("FunctionNotFound(bytes4)", IAave(_aaveV3Pool).getReserveData.selector)
);
wrapper.registerCollateralToken(usdc);
}
}
Impact
The unavailability of integration with the DIVA and Aave. All the basic functionality will not be available.
Tools Used
Recommendations
Adjust the parameters of the AaveDIVAWrapper constructor
address diva_, address aaveV3Pool_, address owner_
