Alchemix Transmuter

Summary

The StrategyMainnet.sol contract is meant to be deployed on the Ethereum mainnet, the initial curve router address that was set shows that it might likely belongs to an EOA (Externally Owned Account) instead of a contract address, and the address also shows that it belongs to DepositAndStakeZap contract by curev deployed to Mantle and Fraxtal chain as shown in curve documentation

https://docs.curve.fi/deployments/router-zaps/#depositandstakezap

Vulnerability Details

1. Initial Router Setup with EOA address:

   function _initStrategy() internal {

   router = 0xa062aE8A9c5e11aaA026fc2670B0D65cCc8B2858; // EOA address on mainnet

   underlying.safeApprove(address(router), type(uint256).max);

   }

Impact

1. If the router address is an EOA, the account controlling that address could drain all approved underlying tokens from the strategy, as there is no validation or ability to revoke the approval. Even if discovered after deployment and changed to the curve router address, there's no mechanism to revoke the approval, meaning the EOA would retain the ability to drain future deposits.

This will cause a DOS as the deposit from the base contract TokenizedStrategy.sol will fail leading to distrust https://github.com/yearn/tokenized-strategy/blob/9ef68041bd034353d39941e487499d111c3d3901/src/TokenizedStrategy.sol#L487

Tools Used

Manual

Recommendations

Change the router contract address before deployment to https://docs.curve.fi/deployments/router-zaps/#router