[H-2] Previous Router Approvals Not Revoked During Router Updates in Strategy Contracts
Summary
In StrategyMainnet.sol, StrategyArb.sol, and StrategyOp.sol, when updating the router address through functions like setCurvePool, setVeloRouter, or addRoute by the Management role, the contracts fail to revoke approvals from the previous router addresses. This is particularly critical since router updates are often performed in response to security incidents or compromised routers, velo router and curve router contracts are non-upgradeable contracts which means any upgrade will require a redeployment, yet the potentially compromised routers retain their approval to spend strategy tokens.
Vulnerability Details
The strategy contracts implement router update functions but do not include approval revocation logic
Impact
Each router update in response to security incidents actually increases risk by adding another approved address without revoking previous ones.
Even after detecting and responding to an attack by updating the router, the attacker maintains the ability to drain funds through the retained approval for router contracts that are upgradeable
Tools Used
Manual
Recommendations
A mandatory revocation for old router contracts.
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.