Old router approvals persist after router update
Summary
The StrategyArb.sol and StrategyOp.sol contracts have a security vulnerability where they fail to revoke token approvals from old routers when updating to a new one. This leads to accumulation of token approvals, potentially exposing the strategy's underlying tokens to risk if any previous router becomes compromised.
Vulnerability Details
When updating the router via setRouter, the contracts approve the new router but don't revoke permissions from the old one:
In StrategyArb.sol:
Similarly in StrategyOp.sol:
This creates multiple security concerns:
Every router change leaves another contract with unlimited approval
Historical approvals remain active indefinitely
No mechanism exists to revoke old approvals
Strategy's underlying tokens remain exposed to old routers
Impact
The main risks are:
Compromised previous routers could still access strategy funds
Each router upgrade increases attack surface
No way to revoke historical approvals without contract upgrade
Full underlying token balance at risk if old router is exploited
Tools Used
Manual Review
Recommendations
Remove approve for old router
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.