The setRouter
function in the StrategyOp
and StrategyArb
contracts fails to clear the allowance of the old router before setting a new one.
In StrategyArb
contract, the _initStrategy
function will approve unlimited allowance to the router:
However, in setRouter
function, the allowance of the old router will not be removed:
The same issue exists in StrategyOp
.
This oversight can introduce a logical vulnerability where the previously set router retains permission to transfer unlimited tokens, leading to potential unauthorized transfers if an attacker can manipulate or interact with it in a harmful way.
Consider following case:
The manager sets a new router, and this router will have max allowance
The router is attacked and the manager immendately change the router to a new one
However the old router still retains permission to transfer unlimited tokens, the attacker can transfer all underlying tokens through the old router
The impact of this issue is High and the likelihood is Low, as a result, the severity should be medium.
The setRouter
function allows an attacker to exploit the old router's allowance, as it does not clear previously granted permissions. By approving a new router, the prior router can still transfer an unlimited number of tokens, creating the risk of unauthorized token transfers and potential loss of funds. The absence of clearance allows malicious actors to exploit this oversight and manipulate the contract's funds.
Manual Review
Consider following fix:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.