When authorizing a new router, the old authorization is not cancelled.
Summary
In the StrategyArb contract, when the router address is changed, the contract only grants authorization to the new router, but does not cancel the authorization of the old router address. This operation may allow attackers to use the old authorization to manipulate the funds in the contract and perform unauthorized fund transfers.
This risk also exists in the StrategyOp contract.
Vulnerability Details
https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyArb.sol#L42
In the setRouter function of the StrategyArb contract, when a new router address is set, the contract will authorize the underlying assets to the new router address, but will not cancel the authorization of the old router address. In this way, the old router address still has the authorization for the contract funds. If an attacker controls the operation permissions of the old address, he can use this permission to perform malicious operations, such as transferring funds or performing other harmful operations.
Impact
Unauthorized fund transfer: An attacker can use the authorization of the old router address to transfer funds, thereby stealing assets in the contract.
Loss of contract control: By using the old address that has not been deauthorized, an attacker may control the flow of funds in the contract, leading to fund security issues.
Tools Used
Manual review
Recommendations
Cancel the old authorization. In the setRouter function, first cancel the authorization of the old router address before granting authorization to the new router. You can revoke the authorization of the old address through underlying.safeApprove(oldRouter, 0).
Appeal created
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.