Allowance is not reset when changing the router
StrategyArb : https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyArb.sol#L42-L45
StrategyOp : https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyOp.sol#L48-L51
Summary
In StrategyArb and StrategyOp, the function setRouter allows to change the address of the router contract, but fails to reset the allowance for the underlying token to 0. This could result in a loss of fund if any approved router gets compromised.
Vulnerability Details
StrategyArb and StrategyOp both allow a user with Management rights to change the address of the router used to swap WETH for alETH. Upon doing so, the contract approves the new router to spend all its WETH, but fails to revoke the same right from the previous router, that is not used anymore :
As it was briefly explained in the Kickoff, the Alchemix team is setting up this project to recover losses from the curve re-entrancy bug. This fact stresses the importance of setting a security measure to be able to block any malicious opportunities when an attack occurs.
Impact
Unblockable loss of funds when a breach occurs in a previously approved router.
Recommendations
Revoke approval for the previous router before setting the new one :
This precaution can further be extended to StrategyMainnet, as there is no mechanism to revoke allowance implemented.
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.