Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

Once router has been changed they cannot be used again due to calling safeApprove

joshuajee

Summary

When setting a new router full approval is granted to that router using safeApprove, the problem is that the old router cannot be used again once this update is made. For example, changing from V1 to V2 and then back to V1 won't be possible because the transaction will revert because V1 already has a non-zero allowance.

Vulnerability Details

Because safeApprove only work when the current allowance is zero, trying to use a previous router will fail because the previous router has non-zero allowance.

https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyArb.sol#L43

function setRouter(address _router) external onlyManagement {
@-> router = _router;
underlying.safeApprove(router, type(uint256).max);\
}

Impact

The strategy won't be able to use old routers.

Tools Used

Manual Analysis

Recommendations

  1. Set the allowance of the previous router to zero.

function setRouter(address _router) external onlyManagement {
+ underlying.forceApprove(router, 0);
router = _router;
underlying.safeApprove(router, type(uint256).max);
}

  1. Use forceApprove instead.

function setRouter(address _router) external onlyManagement {
router = _router;
- underlying.safeApprove(router, type(uint256).max);
+ underlying.forceApprove(router, type(uint256).max);
}
Updates

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.