Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

Unlimited Token Approvals Without Revocation Mechanism

pro_king

Summary

The StrategyMainnet contract grants unlimited token approvals to both the transmuter and router without implementing any approval management or revocation mechanisms, creating significant risk if either contract becomes compromised.

Vulnerability Details

Found two instances of unlimited approvals:

  1. Transmuter Approval in Constructor:

constructor(...) {
...
asset.safeApprove(address(transmuter), type(uint256).max); // @audit unlimited approval
}

  1. Router Approval in Init:

function _initStrategy() internal {
router = ICurveRouterNG(0xF0d4c12A5768D806021F80a262B4d39d26C58b8D);
underlying.safeApprove(address(router), type(uint256).max); // @audit unlimited approval
}

Key Issues:

  1. No way to revoke approvals

  2. No way to remove router in emergency

  3. No approval reset mechanism

  4. Permanent unlimited access granted

Impact

If either transmuter or router is compromised:

  • Attacker would have unlimited access to strategy's tokens

  • No emergency mechanism to revoke access

  • Must deploy new strategy to fix (expensive and time-consuming)

  • All funds at risk until migration complete

Tools Used

  • Manual review

Recommendations

Add approval remove function in emergency conditions

Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.