The setRouter
function allows the management to update the router
address and grants it an unlimited approval for the underlying token. However, the function fails to reset the token approval for the previous router
, potentially leaving it with residual unlimited approval. This oversight introduces a critical vulnerability, as it allows a malicious or compromised previous router to continue interacting with the underlying token, potentially leading to unauthorized token transfers or draining of funds.
The function updates the router
without revoking the token approval for the existing router.
As a result, the previous router
retains its unlimited approval for the underlying token.
If the previous router
is malicious or compromised, it can exploit the unlimited approval to transfer the underlying token arbitrarily.
A malicious or compromised previous router
could transfer or drain the underlying tokens using the retained unlimited approval.
To mitigate this vulnerability, the setRouter
function should revoke the approval for the existing router
before updating it to the new router.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.