In StrategyArb contract, asset allowance should be removed from the old router when updating to a new router
Summary
In the Arbitrum strategy, router can be upgraded using the corresponding setRouter function. The new address is set and allowance is activated. However, allowance for the old router is never revoked, leaving a security gap that could be exploited by a malicious actor.
Vulnerability Details
When setting a new router in the Arbitrum strategy (as in the case of the Optimism one), setRouter function is called and allowance to the new contract is activated. However, the old router allowance is not removed.
Keeping allowance on the old router is considered a security breach, as the contract is not created or maintained by any trusted actor within the Alchemix protocol, but by an external entity or organization. Doing this can bring several drawbacks, such as:
There is no guarantee that external actors are not malicious
Even if external actors are not malicious, a security issue in their old-version protocol contracts can directly compromise funds in the Alchemix system.
Impact
Impact: High
Likelihood: Low
Tools Used
Manual Review
Recommendations
It is recommended to remove allowance from the old router when setting a new one.
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.