Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

SafeERC20.safeApprove reverts for changing existing approvals

i_atiq

Summary

The setRouter function in StrategyArb and StrategyOp uses SafeERC20.safeApprove to grant the router an unlimited allowance for the underlying token. However, SafeERC20.safeApprove reverts when an existing non-zero allowance is modified to another non-zero value without being reset to zero first. This behavior can cause the function to fail if the same router is re-used or re-assigned after a previous approval. As a result, once the router is changed, it becomes impossible to revert to a previously used router.

Vulnerability Details

The SafeERC20.safeApprove function follows the best practice of resetting existing allowances to zero before setting a new non-zero allowance. If a previously used router is re-assigned, the approval process will revert due to this restriction. The safeApprove will revert if existing allowance is non zero due to check-

require(

(value == 0) || (token.allowance(address(this), spender) == 0),

"SafeERC20: approve from non-zero to non-zero allowance"

);

Impact

If a previously approved router needs to be reassigned, the transaction will revert due to checks in safeApprove

Recommendations

To address this issue, modify the setRouter function to reset the approval of previous router to zero before granting a new allowance to new router.

function setRouter(address _router) external onlyManagement {

// Revoke approval for the current router

+ underlying.safeApprove(router, 0);

// Update router and grant new approval

router = _router;

underlying.safeApprove(router, type(uint256).max);

}

Updates

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.