Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

Router Approval Vulnerability

mizila_firox

Summary

Routers can retain max approval indefinitely, risking total asset loss if a router is compromised. Add a disapproval function for outdated or malicious routers to mitigate this.

Vulnerability Details

Since routers are from different protocols eventually one of them might have a vulnerability and the strategy contracts don't have a way to disaprove routers from draining all tokens in the case of an emergency.

https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyArb.sol#L42-L45

function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max);
}

https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyOp.sol#L48-L51

function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max);
}

https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyMainnet.sol#L43-L47

here we don't have a setRouter function but it approves it in the _initStrategy instead, so basicaly the same thing:

function _initStrategy() internal {
router = ICurveRouterNG(0xF0d4c12A5768D806021F80a262B4d39d26C58b8D);
underlying.safeApprove(address(router), type(uint256).max);
}

Impact

A compromised router could drain all tokens approved by these contracts.

Tools Used

Manual analysis.

Recommendations

Implement a mechanism to revoke token approvals from outdated or malicious routers in all strategy contracts.

Updates

Appeal created

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.