Hardcoded Curve Router Address Without Update Mechanism
Summary
I've identified that StrategyMainnet.sol contains a hardcoded Curve Router address with no update mechanism. This is concerning as Curve has recently migrated to a new router contract, while the contract's hardcoded address has been inactive for approximately 20 days. This architectural decision could impact the strategy's functionality if the old router becomes obsolete or compromised.
The new router can be found here:
https://etherscan.io/address/0x16C6521Dff6baB339122a0FE25a9116693265353
Vulnerability Details
The router initialization occurs in _initStrategy():
Critical concerns:
-
Router address cannot be modified post-deployment
-
Management lacks ability to update router address
-
Unlimited approval granted to the hardcoded router
-
Current router address shows inactivity while new router is operational
The strategy's
claimAndSwapfunctionality is dependent on this router: https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L92
Impact
The vulnerability presents several risks:
Perpetual approval to potentially deprecated contract
Strategy functionality could cease if router becomes deprecated
Reduced performance from inability to access updated pricing and pools
Missing potential optimizations from newer router versions
Tools Used
Manual Review
Recommendations
Add a setRouter function:
Appeal created
Cannot Set A New Router In `StrategyMainnet.sol`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.