Approval of Router Not Revoked When the Router Is Changed
Summary
When the router is updated to a new address, existing underlying token approvals for the previous router are not revoked. This can potentially lead to security issues, as the old router retains the ability to transfer tokens, even though it is no longer in active use.
Vulnerability Details
When the strategy contract is deployed a router is set and approved to spend type(uint).max (all) of the strategy's underlying token.
The vulnerability arises from the contract’s failure to remove approvals for a previous router when the router is replaced with a new one. Hence underlying token approvals granted to the old router persist indefinitely leaving room for misuse, especially if the old router is compromised or malicious.
Impact
The vulnerability can result in unauthorized access to users’ tokens. This could lead to a loss of users funds if the old router is exploited since the old router still has approval to transfer the strategies funds.
Tools Used
Manual Review
Recommendations
Implement logic to revoke existing token approvals for the old router when updating to a new one.
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.