DeFiFoundrySolidity
16,653 OP
View results
Submission Details
Severity: low
Valid

Unrevoked router permissions can lead to total loss of funds

Summary

The StrategyOp and StrategyArb contracts do not revoke token approvals when changing routers, leading to multiple unlimited allowances that remain active forever. This creates unnecessary risk exposure if previously approved routers become compromised.

Vulnerability Details

In StrategyOp.sol, when management changes the router via setRouter(), new approvals are granted without revoking previous ones:

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L48-L51

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L42-L45

function setRouter(address _router) external onlyManagement {
@> router = _router; // @audit-critical previous router still has max allowance
@> underlying.safeApprove(router, type(uint256).max);
}

Each router change adds another unlimited approval without cleaning up old ones.

PoC:

Strategy initially approves Router A with unlimited allowance

  • Management discovers Router A has risks and switches to Router B

  • Router B gets unlimited allowance, but Router A still has unlimited approval

  • Router A gets compromised

  • Attacker controlling Router A can still drain all underlying tokens from strategy

Impact

  • Previous router contracts retain unlimited approval to transfer the strategy's underlying tokens, potentially leading to complete loss of funds if any of those routers are compromised.

Tools Used

Manual Review

Recommendations

Before approving a new router, explicitly revoke approval from the old one.

function setRouter(address _router) external onlyManagement {
if(router != address(0)) {
// add a try catch to avoid it reverts when is BNB(cause it reverts on 0 approvals)
underlying.safeApprove(router, 0);
}
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
Updates

Appeal created

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.