Summary

The setRouter function in StrategyArb and StrategyOp uses SafeERC20.safeApprove to grant the router an unlimited allowance for the underlying token. However, SafeERC20.safeApprove reverts when an existing non-zero allowance is modified to another non-zero value without being reset to zero first. This behavior can cause the function to fail if the same router is re-used or re-assigned after a previous approval. As a result, once the router is changed, it becomes impossible to revert to a previously used router.

Vulnerability Details

The SafeERC20.safeApprove function follows the best practice of resetting existing allowances to zero before setting a new non-zero allowance. If a previously used router is re-assigned, the approval process will revert due to this restriction. The safeApprove will revert if existing allowance is non zero due to check-

Impact

1. If a previously approved router needs to be reassigned, the transaction will revert due to checks in safeApprove

Recommendations

To address this issue, modify the setRouter function to reset the approval of previous router to zero before granting a new allowance to new router.