Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect Constructor Parameter Order in `AaveDIVAWrapper` leads to breaking of contract

oxaudron

Summary

The AaveDIVAWrapper constructor incorrectly passes parameters to AaveDIVAWrapperCore, swapping the _diva and _aaveV3Pool addresses. This misconfiguration causes interactions with the wrong protocols.

Vulnerability Details

The constructor of AaveDIVAWrapperCore.sol :

constructor(address diva_, address aaveV3Pool_, address owner_)

The constructor of `AaveDIVAWrapper.sol` :

constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

Impact

The AaveDIVAWrapper constructor incorrectly passes _aaveV3Pool as the first parameter and _diva as the second to AaveDIVAWrapperCore, while the parent contract expects the order:

  1. diva_ (DIVA Protocol address),

  2. aaveV3Pool_ (Aave V3 Pool address).

This swaps the protocol addresses, causing the contract to:

  • Treat the Aave V3 Pool address as the DIVA Protocol.

  • Treat the DIVA Protocol address as the Aave V3 Pool.

Most probably all the functionalities are unlikely to work

Tools Used

Manual Review

Recommendations

Swap the first two parameters in the AaveDIVAWrapper constructor to match AaveDIVAWrapperCore's expected order:

constructor(address _diva, address _aaveV3Pool, address _owner)
AaveDIVAWrapperCore(_diva, _aaveV3Pool, _owner) {}
Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Constructor arguments mismatch

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.