Alchemix Transmuter

Summary

The setRouter function in the StrategyArb contract updates the router address and approves the new router without revoking the approval from the old router address. This leaves active unlimited token approvals (type(uint256).max) to multiple router addresses, creating unnecessary security risks. A compromised router can use this approval to steal tokens or harm the protocol.

Vulnerability Details

Location: setRouter function in StrategyArb.sol and StrategyOp.sol

• Current Implementation:

  function setRouter(address _router) external onlyManagement {

  router = _router;

  underlying.safeApprove(router, type(uint256).max);

  }

• The function fails to revoke the approval from the old router address before setting up the new approval

• Each time the router is changed, a new unlimited approval is created while previous approvals remain active

• This creates a situation where multiple router contracts have unlimited spending rights on the strategy's underlying tokens

Impact

Medium

• If any previously approved router contract becomes compromised, malicious actors could:

  • Drain all underlying tokens up to the maximum uint256 value

  • Execute unauthorized trades

  • Potentially cause loss of funds through malicious transactions

• Multiple active unlimited approvals increase the attack surface unnecessarily

Tools Used

• Manual code review

Recommendations

• Implement approval revocation before setting new approvals

• Recommend using approve since safeApprove has been deprecated.

  function setRouter(address _router) external onlyManagement {

  // Revoke approval from old router

  underlying.approve(router, 0);

  // Set new router

  router = _router;

  // Approve new router

  underlying.approve(router, type(uint256).max);

  }