Summary

The StrategyArb and StrategyMainnet contracts introduce two centralization risks:

1. Router Address Control: The Manager role can arbitrarily set the router address, enabling potential malicious activity if compromised.

2. Swap Routes Configuration: The Manager can define custom swap routes via the addRoute function, which can lead to fund redirection or inefficient swaps.

Both issues pose severe financial, operational, and reputational risks. Mitigation includes decentralizing control through multi-signature governance, implementing robust validation checks, and adopting preventative coding practices.

Technical Details

1. Centralized Control Over Router Address (StrategyArb)

Code Reference:

• Router address initialized in _initStrategy:

  function _initStrategy() internal {

  router = 0xAAA87963EFeB6f7E0a2711F397663105Acb1805e;

  underlying.safeApprove(address(router), type(uint256).max);

  }

  ​

• Updatable via setRouter:

  function setRouter(address _router) external onlyManagement {

  router = _router;

  underlying.safeApprove(router, type(uint256).max);

  }

  ​

Issue:

• The onlyManagement modifier grants the Manager role control over the router address.

• If compromised, the Manager can update the router to a malicious contract, which can perform unauthorized swaps or drain funds.

2. Centralized Control Over Swap Routes (StrategyMainnet)

Code Reference:

• Add routes via addRoute:

  function addRoute(

  address[11] calldata _route,

  uint256[5][5] calldata _swapParams,

  address[5] calldata _pools

  ) external onlyManagement {

  routes[nRoutes] = _route;

  swapParams[nRoutes] = _swapParams;

  pools[nRoutes] = _pools;

  nRoutes++;

  }

  ​

Issue:

• The Manager can define arrays of routes, parameters, and pools without validation.

• Malicious routes can redirect funds to external wallets or execute inefficient swaps, leading to financial losses.

Exploitation Scenarios

Router Address Control (StrategyArb)

Scenario:

1. Manager updates the router to a malicious contract they control.

   setRouter(0xMaliciousAddress);

   ​

2. During a _swapUnderlyingToAsset operation:

   IRamsesRouter(router).swapExactTokensForTokens(_amount, minOut, _path, address(this), block.timestamp);

   ​

   The malicious router redirects funds to an attacker-controlled wallet.

Proof of Concept:

• Assume the contract holds 5,000 WETH (~$10M at $2,000/WETH).

• The malicious router executes swaps that result in a direct transfer to an attacker wallet:

  function swapExactTokensForTokens(

  uint256 _amount,

  uint256 _minOut,

  route[] calldata _path,

  address to,

  uint256 deadline

  ) external {

  // Directly transfer tokens to attacker-controlled wallet

  token.transfer(0xAttackerWallet, _amount);

  }

  ​

Impact:

• Full loss of all 5,000 WETH.

• Operational disruption and reputational damage to the protocol.

Swap Routes Configuration (StrategyMainnet)

Scenario:

1. Manager defines a malicious route:

   addRoute(

   [0xMaliciousToken1, 0xMaliciousToken2, ...],

   [[1, 1, ...]],

   [0xMaliciousPool1, 0xMaliciousPool2, ...]

   );

   ​

2. A claimAndSwap operation executes the malicious route:

   router.exchange(

   routes[_routeNumber],

   swapParams[_routeNumber],

   _amountClaim,

   _minOut,

   pools[_routeNumber],

   address(this)

   );

   ​

3. The malicious route swaps assets at inefficient rates or redirects funds.

Proof of Concept:

• Assume the protocol manages $50M in assets.

• A malicious route swaps 10% of the funds ($5M) at a manipulated rate, resulting in a $4.8M net loss.

• Funds are directed to an attacker-controlled pool.

Root Cause Analysis

1. Router Address Control:

   • Centralized control via onlyManagement without additional safeguards.

   • Unlimited token approvals (type(uint256).max) exacerbate the risk.

2. Swap Routes Configuration:

   • Lack of validation for routes, parameters, and pools.

   • No multi-signature requirement for route addition.

Mitigation Recommendations

1. Decentralize Control

• Replace onlyManagement with multi-signature governance for critical operations like setRouter and addRoute.

  modifier onlyMultiSig {

  require(isApprovedByMultiSig(msg.sender), "Not approved");

  _;

  }

  ​

2. Implement Validation and Whitelisting

• Validate router addresses and swap routes against pre-approved lists.

  require(whitelistedRouters[_router], "Router not whitelisted");

  require(isValidRoute(_route), "Invalid route");

  ​

Impact Analysis

Router Address Control:

• Worst-Case Impact: Loss of all funds managed by the strategy.

• Quantifiable Example: $10M drained due to malicious router.

Swap Routes Configuration:

• Worst-Case Impact: Inefficient trades or fund redirection leading to multi-million-dollar losses.

• Quantifiable Example: $4.8M loss due to manipulated trade rates.