Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

Funds are vulnerable to theft due to failure to revoke token approvals from previous routers

ericselvig

Vulnerability Details

The setRouter function in the StrategyArb and StrategyOp contracts is designed to update the router address used for token swaps.

This update may be required for various reasons, such as the compromise of the existing router.
In such cases, it is critical to revoke all token approvals from the previous router before assigning a new one. However, the setRouter function does not handle this revocation, leaving funds exposed to potential theft.

function setRouter(address _router) external onlyManagement {
/// @audit missing revocation of token approvals
router = _router;
underlying.safeApprove(router, type(uint256).max);
}

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L42-L45
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L48-L51

Impact

Impact: High
Likelihood: Low

Funds in the strategy contract are vulnerable to theft if the router is compromised, as the attacker can use the existing approvals to transfer tokens from the strategy contract.

Tools Used

Manual Review

Recommendations

Change the implementation of setRouter to include revocation to current router.

function setRouter(address _router) external onlyManagement {
+ underlying.safeApprove(router, 0);
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
Updates

Appeal created

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.