Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect implementation of setRouter() function in StrategyArb.sol and StrategyOp.sol

james07

Summary

The setRouter() function enables the contract manager to update the router's address used for token swaps. However, the implementation does not explicitly clear the previous router address. As a result, users may still interact with the outdated router, even after the setRouter() function has been invoked to update it.

Vulnerability Details

function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max);
}

This is setRouter() function in StrategyArb.sol and StrategyOp.sol

You can check this function with the following links

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L48

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L42

As evident from the code, this function only updates the router to the provided _router input without addressing the previous router. Consequently, the previous router retains its permissions to spend tokens.

Impact

The old router has still permission to spend tokens. Unauthorized users can use old router

Tools Used

Recommendations

function setRouter(address _router) external onlyManagement {
underlying.safeApprove(router, 0);
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
Updates

Appeal created

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.