Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

There is no way to update the router address in StrategyMainnet

crunter

Summary

Unlike the Optimism and Arbitrum strategies, there is no function in StrategyMainnet to update the address of the router. This is a problem in the scenario where the Curve protocol updates its router address.

Vulnerability Details

Both Optimism and Arbitrum strategies has a setRouter[1][2] function to update the router address. However, StrategyMainnet does not implement such function. In the scenario where the Curve protocol changes its router address, StrategyMainnet will not be able to update to the new address due to the lack of a function to do so.

Impact

Impact: High

Likelihood: Low

Tools Used

Manual Review

Recommendations

As well as the Optimism and Arbitrum strategies, it is recommended to implement a setRouter function in the Mainnet strategy.

StrategyMainnet.sol
contract StrategyMainnet is BaseStrategy {
... snip
+ function setRouter(address _router) external onlyManagement {
+ underlying.safeApprove(address(router), 0);
+ router = ICurveRouterNG(_router);
+ underlying.safeApprove(address(router), type(uint256).max);
+ }
... snip
}
Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Cannot Set A New Router In `StrategyMainnet.sol`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.