DeFiFoundrySolidity
16,653 OP
View results
Submission Details
Severity: low
Valid

Unrestricted Approval Retention in `setRouter` Function Leading to Potential Token Drain

Summary

The setRouter function allows the management to update the router address and grants it an unlimited approval for the underlying token. However, the function fails to reset the token approval for the previous router, potentially leaving it with residual unlimited approval. This oversight introduces a critical vulnerability, as it allows a malicious or compromised previous router to continue interacting with the underlying token, potentially leading to unauthorized token transfers or draining of funds.

Vulnerability Details

  1. The function updates the router without revoking the token approval for the existing router.

  2. As a result, the previous router retains its unlimited approval for the underlying token.

  3. If the previous router is malicious or compromised, it can exploit the unlimited approval to transfer the underlying token arbitrarily.

Impact

  1. A malicious or compromised previous router could transfer or drain the underlying tokens using the retained unlimited approval.

Recommendations

To mitigate this vulnerability, the setRouter function should revoke the approval for the existing router before updating it to the new router.

function setRouter(address _router) external onlyManagement {
// Revoke approval for the current router
+ underlying.safeApprove(router, 0);
// Update router and grant new approval
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
Updates

Appeal created

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.