Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

router approval is not revoked in setRouter() for old router in @src/StrategyArb.sol and in @src/StrategyOp.sol

alix402

Summary

The StrategyArb contract interacts with a router contract to perform token swaps between the underlying token (WETH) and the synthetic asset (alETH). The setRouter() function allows management to update the router address and sets an unlimited approval for the underlying token to be spent by the new router.

However, when changing routers, the function fails to revoke the approval from the old router address first. This means that previously approved routers retain their unlimited approval to spend the strategy's underlying tokens, even after they are no longer in use.

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L48-L51

function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max);
}

Recommended mitigation steps

The setRouter() function should revoke approval from the old router before setting the approval for the new one:

function setRouter(address \_router) external onlyManagement {
// Revoke approval from old router
underlying.safeApprove(router, 0);
// Set new router and approve
router = _router;
underlying.safeApprove(router, type(uint256).max);

This ensures that only the currently active router has approval to spend the strategy's tokens.

Updates

Appeal created

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.