Hanging approvals on old router contracts can lead to the loss of funds if routers are compromised.
Summary
The StrategyOp and StrategyArb contracts enable the owner to change the router contract by calling the setRouter function.
The new router will be granted maximum approval for future swaps, but the old router will retain its maximum approval, either through a previous call to setRouter or during initialization if it was the first router set. If an external router is compromised, the owner can switch to a new router. However, because the old router will still have approval, there is a risk of losing underlying token funds if some tokens remain in the contract.
Impact
This will be categorized as low impact because:
The router must be exploitable for max approval, which is unlikely for leading industry protocols today, although it's not as uncommon as in the case of Merlin DEX: Merlin DEX Rekt.
Even if the router is compromised, the strategy is not expected to directly hold underlying tokens, as they should be swapped for alETH tokens. However, any underlying tokens held, such as through donations, would be at risk.
Tools Used
Manual review.
Recommendations
Remove previous maximum approvals for old routers when setting a new router inside StrategyOp and StrategyArb.
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.