Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

Approval Not Revoked for Old Router in setRouter Function

ace_30

Summary

The setRouter function allows a manager to change the router (a critical component in the protocol). Whenever a new router is set, it gives that new router permission to access all tokens but does not remove the approval for the old router.

Vulnerability Details

The setRouter function in StrategyArb.sol and StrategyOp.sol updates the protocol’s router and grants the new router unlimited token approval.

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L42-L45

function setRouter(address _router) external onlyManagement {
router = _router;underlying.safeApprove(router, type(uint256).max);
}

• The function does not reset the token approval for the old router, leaving its permission intact.

• If the old router is exploited or hacked after being replaced, it can still access all tokens.

Impact

Complete loss of all underlying tokens authorized to the old router.

Tools Used

vscode

Recommendations

function setRouter(address _router) external onlyManagement {
// Reset approval for the old router
underlying.safeApprove(router, 0); //Added critical line
// Update to the new router and approve it
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
Updates

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.