Aave DIVA Wrapper

Summary

The constructor of the AaveDIVAWrapper contract initializes key parameters (_diva, _aaveV3Pool, _owner) in the wrong order when invoking the parent contract AaveDIVAWrapperCore. This critical misconfiguration disrupts core workflows, including pool creation, liquidity management, and yield generation, rendering the contract unusable.

Vulnerability Details

In the current implementation, the constructor passes its parameters in the following order:

This results in:

• _aaveV3Pool being incorrectly assigned to _diva.

• _diva being incorrectly assigned to _aaveV3Pool.

This mismatch causes failures in contract initialization and protocol workflows, as the contract relies on these addresses to interact with the DIVA Protocol and Aave V3. Correct initialization should ensure that _diva refers to the DIVA Protocol and _aaveV3Pool refers to Aave V3.

Impact and Scenarios

Scenario 1: Pool Creation Fails

When a user attempts to create a contingent pool via createContingentPool, the contract references _diva to interact with the DIVA Protocol. Since _diva incorrectly points to the Aave V3 pool, the call fails, disrupting the pool creation process. This failure prevents users from utilizing the core functionality of the protocol.

Scenario 2: Yield Generation is Mismanaged

The contract relies on _aaveV3Pool to deposit collateral into Aave V3 for yield generation. With _aaveV3Pool pointing to the DIVA Protocol instead, any attempts to supply collateral to Aave will fail. This results in users' collateral being locked in the contract without generating yield, leading to financial losses and degraded user trust.

Scenario 3: Denial of Service

Collateral tokens registered via registerCollateralToken will reference invalid addresses due to the initialization error. This will disrupt workflows such as:

• Adding liquidity (addLiquidity) since collateral tokens won’t interact with Aave V3.

• Removing liquidity (removeLiquidity) since wTokens cannot be redeemed properly.

The misalignment essentially renders the contract non-functional for all users.

Scenario 4: Potential Economic and Reputation Damage

Deploying the contract with these errors could lead to:

• Redeployment costs to fix the issue, wasting gas and delaying project timelines.

• Loss of user trust if the protocol remains inoperable for extended periods.

Code References

Incorrect Constructor Implementation:

Corrected Constructor:

Root Cause

The root cause of this vulnerability is the incorrect parameter order when initializing the parent contract. The constructor call in AaveDIVAWrapperCore expects _diva, _aaveV3Pool, and _owner in a specific sequence, but they are supplied in a mismatched order.

Recommendations

1. Fix Parameter Order in Constructor
   Ensure that the parameters are passed in the correct order during initialization:

   constructor(address _diva, address _aaveV3Pool, address _owner)

   AaveDIVAWrapperCore(_diva, _aaveV3Pool, _owner) {}

   ​

2. Implement Validation in Constructor
   Validate the provided _diva and _aaveV3Pool addresses to ensure they correspond to valid contracts:

   require(_isValidDIVA(_diva), "Invalid DIVA Protocol address");

   require(_isValidAaveV3Pool(_aaveV3Pool), "Invalid Aave V3 Pool address");

   ​