Submission Details
Severity:
In `StrategyMainnet::_initStrategy` the protocol use wrong router address for initialization
Summary
The _initStrategy in StrategyMainnet uses this address for initialization:
/**
* @dev Initializes the strategy with the router address & approves WETH to be swapped via router
*/
function _initStrategy() internal {
router = ICurveRouterNG(0xF0d4c12A5768D806021F80a262B4d39d26C58b8D);
underlying.safeApprove(address(router), type(uint256).max);
}
Vulnerability Details
But if we check on Curve docs the correct address is this:
0x16C6521Dff6baB339122a0FE25a9116693265353
We can see that (first address in the table) on this link:
https://docs.curve.fi/references/deployed-contracts/#curve-router
Impact
Protocol will use wrong router address for initializing strategy.
Tools Used
Manual Review
Recommendations
Make sure protocol use the correct and updated router address.
Make following changes in _initStrategy:
/**
* @dev Initializes the strategy with the router address & approves WETH to be swapped via router
*/
function _initStrategy() internal {
- router = ICurveRouterNG(0xF0d4c12A5768D806021F80a262B4d39d26C58b8D);
+ router = ICurveRouterNG(0x16C6521Dff6baB339122a0FE25a9116693265353);
underlying.safeApprove(address(router), type(uint256).max);
}
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.