Protocol funds can be compromised due to not removing router approval
Summary
Protocol funds can be compromised due to not revoking the previous router's approval when setting a new one.
Vulnerability Details
In the constructors of StrategyOp.sol and StrategyArb.sol, the strategy is initialized and an approval to the router is set to type(uint256).max.
If the admins decide to set a new router, a max approval is once again made to the new router, but the previous one is not revoked.
This can be problematic. In a worst case scenario where the router is compromised due to a vulnerability, or anything really, the Alchemix contract's funds will be at risk since the approval to the compromised router cannot be revoked, even if a new router is set. Furthermore, the Alchemix contracts cannot be paused, and the emergency withdraw func is currently commented out on both StrategyArb.sol and StrategyOp.sol
Impact
If the initial router is compromised, the Alchemix contract's max approval will remain and the funds can be at risk. I believe the likelihood is low, but the impact can be critical, hence, medium severity.
Tools Used
Manual Review
Recommendations
Revoke previous router's approval when setting a new one. Also adding pausability to the contract will be helpful for such cases.
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.