DeFiFoundrySolidity
16,653 OP
View results
Submission Details
Severity: low
Valid

Hardcoded curve router address in StrategyMainnet contract

Summary

The StrategyMainnet contract contains a hardcoded address for the Curve Router and grants it unrestricted approval to spend tokens. This design flaw poses significant security and operational risks, reducing the contract's flexibility and adaptability.

Vulnerability Details

https://github.com/Cyfrin/2024-12-alchemix/blob/5c19ee37df3aa7605bf782c9c40a482fd82adc67/src/StrategyMainnet.sol#L44

  • Hardcoded Address: The contract hardcodes the Curve Router address (0xF0d4c12A5768D806021F80a262B4d39d26C58b8D) within the _initStrategy function. This lack of configurability makes it difficult to adapt to changes in the Curve ecosystem or deploy the contract across different networks.

  • Unrestricted Approval: The contract grants unlimited token approval to the hardcoded router address using underlying.safeApprove(address(router), type(uint256).max);. This violates the principle of least privilege and poses a security risk if the address is compromised.

Impact

  • Security Risks: The hardcoded address and unrestricted approval create a single point of failure. If the address is compromised, it could lead to unauthorized access and potential loss of funds.

  • Operational Challenges: Any need to change the router address requires a full contract upgrade, which is costly and complex. This can lead to operational disruptions and user frustration.

  • Reduced Flexibility: The contract's inability to adapt to changes in the Curve ecosystem or deploy across different networks limits its long-term viability and usability.

  • Trust and Credibility: Violating best practices in smart contract development can affect user trust and the strategy's adoption.

Tools Used

Manual code review

Recommendations

Remove Hardcoded Address:

  • Make the router address configurable by passing it as a parameter in the constructor or through a setter function that only privileged roles can call.

Limit Approval:

  • Implement a mechanism to approve only the necessary amount of tokens for each transaction, rather than granting unlimited approval.

A similar issue is been discovered here

https://solodit.cyfrin.io/issues/unrestricted-approval-to-hardcoded-address-auditone-none-newwit-markdown

Updates

Appeal created

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Cannot Set A New Router In `StrategyMainnet.sol`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.