The StrategyOp and StrategyArb contracts do not revoke token approvals when changing routers, leading to multiple unlimited allowances that remain active forever. This creates unnecessary risk exposure if previously approved routers become compromised.
In StrategyOp.sol
, when management changes the router via setRouter()
, new approvals are granted without revoking previous ones:
Each router change adds another unlimited approval without cleaning up old ones.
PoC:
Strategy initially approves Router A with unlimited allowance
Management discovers Router A has risks and switches to Router B
Router B gets unlimited allowance, but Router A still has unlimited approval
Router A gets compromised
Attacker controlling Router A can still drain all underlying tokens from strategy
Previous router contracts retain unlimited approval to transfer the strategy's underlying tokens, potentially leading to complete loss of funds if any of those routers are compromised.
Manual Review
Before approving a new router, explicitly revoke approval from the old one.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.