Submission Details
Severity:
`StrategyArb::setRouter` and `StrategyOp::setRouter` do not reset token approvals
Summary
StrategyArb::setRouter and StrategyOp::setRouter do not reset token approvals.
Vulnerability Details
When the router is updated, token approval is not removed for the old router.
/**
* @dev Sets the router address for swapping WETH to alETH
* @param _router The address of the router
NOTE - only used if want to upgrade router
*/
function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
Impact
Even after changing the router address to a new one on the strategy, the old router has complete control over strategy's tokens. This can lead to losses in cases of a compromised router.
Tools Used
Manual Review
Recommendations
function setRouter(address _router) external onlyManagement {
+ underlying.safeApprove(router, 0); // or safeDecreaseAllowance/forceApprove according to the appropriate OZ version
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
Updates
Appeal created
inallhonesty 10 months ago
Submission Judgement Published Assigned finding tags:
Old router approval is not revoked after an update
inallhonesty 10 months ago
Submission Judgement Published Assigned finding tags:
Old router approval is not revoked after an update
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.