Missing Input Validation in `setRouter` Function
Description
The setRouter function allows the management to update the router address used for swapping tokens. However, there is no validation to ensure that the new _router address is not the zero address or an invalid contract address. Setting the router to an incorrect address could lead to swapping failures or unintended behavior.
Impact
Operational Failure: If the
routeris set to the zero address or an invalid contract, swaps using the router will fail, affecting the strategy's ability to function properly.Security Risks: Approving the zero address or an unintended address to spend tokens may introduce unforeseen vulnerabilities or allow unauthorized token transfers.
Recommendation
-
Validate the Router Address: Add input validation to ensure that the
_routeraddress provided is not the zero address.function setRouter(address _router) external onlyManagement {require(_router != address(0), "Invalid router address");// Reset approval for the old routerunderlying.safeApprove(router, 0);router = _router;underlying.safeApprove(router, type(uint256).max);}
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.