Missing Revocation of Previous Router Approval in `setRouter()`
Summary
The setRouter function allows management to set a new router and grants the new router an infinite approval to spend the underlying token. However, the function does not revoke the approval of the previous router.
Vulnerability Details
The setRouter() function in the StrategyOp, StrategyArb, and StrategyMainnet contracts allows management to set a new router and grants the new router an infinite approval to spend the underlying token. However, the function does not revoke the approval of the previous router, leaving the previous router with lingering approval to spend the contract's tokens.
Impact
If the previously approved router remains authorized to spend tokens, it poses a security risk:
Unauthorized Usage: If the previous router is compromised or malicious, it could continue to spend the
underlyingtoken without restriction.Loss of Funds: If the previous router’s contract is exploited, it could drain all approved tokens from the protocol.
Tools Used
manual review
Recommendations
Revoke the approval of the previous router before setting a new one. This can be done by calling safeApprove() with a value of 0 for the previous router.
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.