The StrategyMainnet
contract contains a hardcoded address for the Curve Router and grants it unrestricted approval to spend tokens. This design flaw poses significant security and operational risks, reducing the contract's flexibility and adaptability.
https://github.com/Cyfrin/2024-12-alchemix/blob/5c19ee37df3aa7605bf782c9c40a482fd82adc67/src/StrategyMainnet.sol#L44
Hardcoded Address: The contract hardcodes the Curve Router address (0xF0d4c12A5768D806021F80a262B4d39d26C58b8D
) within the _initStrategy
function. This lack of configurability makes it difficult to adapt to changes in the Curve ecosystem or deploy the contract across different networks.
Unrestricted Approval: The contract grants unlimited token approval to the hardcoded router address using underlying.safeApprove(address(router), type(uint256).max);
. This violates the principle of least privilege and poses a security risk if the address is compromised.
Security Risks: The hardcoded address and unrestricted approval create a single point of failure. If the address is compromised, it could lead to unauthorized access and potential loss of funds.
Operational Challenges: Any need to change the router address requires a full contract upgrade, which is costly and complex. This can lead to operational disruptions and user frustration.
Reduced Flexibility: The contract's inability to adapt to changes in the Curve ecosystem or deploy across different networks limits its long-term viability and usability.
Trust and Credibility: Violating best practices in smart contract development can affect user trust and the strategy's adoption.
Manual code review
Remove Hardcoded Address:
Make the router address configurable by passing it as a parameter in the constructor or through a setter function that only privileged roles can call.
Limit Approval:
Implement a mechanism to approve only the necessary amount of tokens for each transaction, rather than granting unlimited approval.
A similar issue is been discovered here
https://solodit.cyfrin.io/issues/unrestricted-approval-to-hardcoded-address-auditone-none-newwit-markdown
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.