Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

Lack of router update mechanism in StrategyMainnet

newspacexyz

Summary

The StrategyMainnet contract does not include a setRouter function, making the router address immutable after deployment. But it prevents adaptation to changing conditions, such as:

  • The need to replace a compromised router.

  • Upgrading to a more efficient or feature-complete router.

Vulnerability Details

In the StrategyMainnet contract, the router is set during initialization in the _initStrategy() function.

function _initStrategy() internal {
router = ICurveRouterNG(0xF0d4c12A5768D806021F80a262B4d39d26C58b8D);
underlying.safeApprove(address(router), type(uint256).max);
}

There is no mechanism to update the router address after deployment.

If the router becomes deprecated, upgraded, or compromised, the strategy cannot be updated to use a new router. This could lead to:

  • Inoperability if the current router is no longer functional.

  • Potential losses if the router is compromised and exploited.

Impact

The strategy cannot adapt to changing conditions, such as router upgrades or security incidents.

If the router is compromised in the future, the unlimited token approval could allow it to drain all tokens from the strategy.

Tools Used

manual

Recommendations

Introduce a setRouter function to allow authorized management to update the router address.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Cannot Set A New Router In `StrategyMainnet.sol`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.