Submission Details
Severity:
When a new router address is set the approval for the old router is not reset
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L48
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L42
## Summary
The `setRouter` function in both `StrategyArb` and `StrategyOp` contracts sets a new router address and grants it approval for the maximum underlying token amount. However, it does not reset the approval for the old router, potentially leaving it with unlimited spending rights, which can lead complete loss of funds if the old router address is compromised.
## Vulnerability Details
When the `setRouter` function is called, the approval for the old router is not revoked. This means the old router retains unlimited access to the underlying tokens.
```solidity
function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
```
The `safeApprove` function directly updates the allowance for the new router without resetting the approval for the old router.
## Impact
Complete loss of funds in case of compromised old router.
## Tools Used
Manual review
## Recommendations
Before approving the new router, reset the approval for the old router to zero.
Updates
Appeal created
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
Old router approval is not revoked after an update
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
Old router approval is not revoked after an update
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.