Unrestricted Approval Retention in `setRouter` Function Leading to Potential Token Drain
Summary
The setRouter function allows the management to update the router address and grants it an unlimited approval for the underlying token. However, the function fails to reset the token approval for the previous router, potentially leaving it with residual unlimited approval. This oversight introduces a critical vulnerability, as it allows a malicious or compromised previous router to continue interacting with the underlying token, potentially leading to unauthorized token transfers or draining of funds.
Vulnerability Details
The function updates the
routerwithout revoking the token approval for the existing router.As a result, the previous
routerretains its unlimited approval for the underlying token.If the previous
routeris malicious or compromised, it can exploit the unlimited approval to transfer the underlying token arbitrarily.
Impact
A malicious or compromised previous
routercould transfer or drain the underlying tokens using the retained unlimited approval.
Recommendations
To mitigate this vulnerability, the setRouter function should revoke the approval for the existing router before updating it to the new router.
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.