The `setRouter` function does not clear the allowance of the old router
Summary
The setRouter function in the StrategyOp and StrategyArb contracts fails to clear the allowance of the old router before setting a new one.
Vulnerability Details
In StrategyArb contract, the _initStrategy function will approve unlimited allowance to the router:
However, in setRouter function, the allowance of the old router will not be removed:
The same issue exists in StrategyOp .
This oversight can introduce a logical vulnerability where the previously set router retains permission to transfer unlimited tokens, leading to potential unauthorized transfers if an attacker can manipulate or interact with it in a harmful way.
Consider following case:
The manager sets a new router, and this router will have max allowance
The router is attacked and the manager immendately change the router to a new one
However the old router still retains permission to transfer unlimited tokens, the attacker can transfer all underlying tokens through the old router
The impact of this issue is High and the likelihood is Low, as a result, the severity should be medium.
Impact
The setRouter function allows an attacker to exploit the old router's allowance, as it does not clear previously granted permissions. By approving a new router, the prior router can still transfer an unlimited number of tokens, creating the risk of unauthorized token transfers and potential loss of funds. The absence of clearance allows malicious actors to exploit this oversight and manipulate the contract's funds.
Tools Used
Manual Review
Recommendations
Consider following fix:
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.