DeFiFoundrySolidity
16,653 OP
View results
Submission Details
Severity: low
Valid

The `setRouter` function does not clear the allowance of the old router

Summary

The setRouter function in the StrategyOp and StrategyArb contracts fails to clear the allowance of the old router before setting a new one.

Vulnerability Details

In StrategyArb contract, the _initStrategy function will approve unlimited allowance to the router:

function _initStrategy() internal {
router = 0xAAA87963EFeB6f7E0a2711F397663105Acb1805e;
underlying.safeApprove(address(router), type(uint256).max);
}

However, in setRouter function, the allowance of the old router will not be removed:

function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max);
}

The same issue exists in StrategyOp .

This oversight can introduce a logical vulnerability where the previously set router retains permission to transfer unlimited tokens, leading to potential unauthorized transfers if an attacker can manipulate or interact with it in a harmful way.

Consider following case:

  1. The manager sets a new router, and this router will have max allowance

  2. The router is attacked and the manager immendately change the router to a new one

  3. However the old router still retains permission to transfer unlimited tokens, the attacker can transfer all underlying tokens through the old router

The impact of this issue is High and the likelihood is Low, as a result, the severity should be medium.

Impact

The setRouter function allows an attacker to exploit the old router's allowance, as it does not clear previously granted permissions. By approving a new router, the prior router can still transfer an unlimited number of tokens, creating the risk of unauthorized token transfers and potential loss of funds. The absence of clearance allows malicious actors to exploit this oversight and manipulate the contract's funds.

Tools Used

Manual Review

Recommendations

Consider following fix:

function setRouter(address _router) external onlyManagement {
underlying.safeApprove(router, 0);
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
Updates

Appeal created

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.