Lack of Approval Revocation for Old Router When Updating Router
Summary
The setRouter function in the StrategyOp and StrategyArb contract does not revoke the approval of the old router for the underlying token (WETH). This creates a potential vulnerability where a previously approved router, if compromised or malicious, could drain all WETH from the strategy.
Vulnerability Details
In the setRouter function, the strategy updates the router address and grants approval to the new router:
However, there is no logic to revoke the approval of the old router. As a result, the old router retains unlimited approval to spend WETH from the strategy's balance. If the old router becomes compromised or behaves maliciously, it could exploit this unlimited approval to drain the WETH held by the strategy.
Impact
If a previously used router contract is compromised or intentionally malicious, it can drain all WETH from the strategy, leading to a significant loss of funds. This could result in irrecoverable financial damage to the protocol and its users.
Tools Used
Manual Review
Recommendations
To mitigate this vulnerability, revoke the approval of the old router before updating the router address. Modify the setRouter function as follows:
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.