Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: high
Invalid

Unprotected Initializer Function in StrategyOp Contract

0xjayonchain

Summary

The _initStrategy function in the StrategyOp contract is unprotected, allowing potential reinitialization of critical variables and token approvals. This exposes the contract to risks such as unauthorized changes to the router address and token mismanagement.

Vulnerability Details

  • Issue: The _initStrategy function lacks an access control mechanism or restriction to prevent it from being called multiple times. Although it is intended to be used during the constructor, it remains exposed as internal, allowing potential invocation through inheritance or derived contracts.

  • Affected Code:

    function _initStrategy() internal {
    router = 0xa062aE8A9c5e11aaA026fc2670B0D65cCc8B2858;
    underlying.safeApprove(address(router), type(uint256).max);
    }

  • Root Cause: The absence of a modifier like initializer or an explicit access control mechanism leaves the function vulnerable to misuse.

Impact

  1. Unauthorized Reinitialization: An attacker or faulty derived contract can reinitialize the router variable, redirecting token approvals to an unintended address.

  2. Token Mismanagement: Repeated calls to _initStrategy could lead to excessive or incorrect token approvals, potentially allowing unauthorized transfers.

  3. Increased Attack Surface: Exposed initialization logic can serve as an entry point for exploiting other vulnerabilities within the system.

Tools Used

  • Static analysis tool Aderyn.

Recommendations

  1. Restrict Access:

    • Use a modifier like initializer or a custom onlyOnce modifier to ensure the function is executed only once.

    • Example:

      bool private initialized;
      modifier onlyOnce() {
      require(!initialized, "Already initialized");
      _;
      initialized = true;
      }
      function _initStrategy() internal onlyOnce {
      router = 0xa062aE8A9c5e11aaA026fc2670B0D65cCc8B2858;
      underlying.safeApprove(address(router), type(uint256).max);
      }

  2. Access Control: If _initStrategy needs to remain callable, restrict it using role-based access modifiers like onlyOwner or onlyManagement.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.