Unrevoked router permissions can lead to total loss of funds
Summary
The StrategyOp and StrategyArb contracts do not revoke token approvals when changing routers, leading to multiple unlimited allowances that remain active forever. This creates unnecessary risk exposure if previously approved routers become compromised.
Vulnerability Details
In StrategyOp.sol, when management changes the router via setRouter(), new approvals are granted without revoking previous ones:
Each router change adds another unlimited approval without cleaning up old ones.
PoC:
Strategy initially approves Router A with unlimited allowance
Management discovers Router A has risks and switches to Router B
Router B gets unlimited allowance, but Router A still has unlimited approval
Router A gets compromised
Attacker controlling Router A can still drain all underlying tokens from strategy
Impact
Previous router contracts retain unlimited approval to transfer the strategy's underlying tokens, potentially leading to complete loss of funds if any of those routers are compromised.
Tools Used
Manual Review
Recommendations
Before approving a new router, explicitly revoke approval from the old one.
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.