The setRouter
function in the StrategyArb
and StrategyOp
contracts is designed to update the router address used for token swaps.
This update may be required for various reasons, such as the compromise of the existing router.
In such cases, it is critical to revoke all token approvals from the previous router before assigning a new one. However, the setRouter
function does not handle this revocation, leaving funds exposed to potential theft.
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L42-L45
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L48-L51
Impact: High
Likelihood: Low
Funds in the strategy contract are vulnerable to theft if the router is compromised, as the attacker can use the existing approvals to transfer tokens from the strategy contract.
Manual Review
Change the implementation of setRouter
to include revocation to current router.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.