Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

Approvals to router is not revoked.

joshuajee

Summary

When setting the router, maximum approval is given to that router. The problem is that when the router is removed by setting a new router address, such approvals are not revoked. If the previous router was compromised, it will still have access to the strategy's tokens.

Vulnerability Details

When the router is changed without revoking the approvals for the previous router, old routers will always have access to the contract balance.

https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyArb.sol#L43

function setRouter(address _router) external onlyManagement {
@-> router = _router;
underlying.safeApprove(router, type(uint256).max);
}

Impact

While rare, the routers of other protocols can become compromised. In such cases, it will be impossible to revoke approvals even when the router is no longer in use, and funds can be stolen.

Tools Used

Manual Analysis

Recommendations

Implement the following changes here;

  1. https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyArb.sol#L43

  2. https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyOp.sol#L48

function setRouter(address _router) external onlyManagement {
+ router.forceApprove(router, 0);
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.