Summary

The StrategyMainnet.sol contract uses a hardcoded Curve Router address that cannot be updated. Recent on-chain activity suggests that Curve has deployed a new version of the router, while the hardcoded address shows no activity in the past month, indicating it is outdated. Here is the new Curve Router address: 0x16C6521Dff6baB339122a0FE25a9116693265353
This design choice limits the contract's adaptability and could lead to operational issues if the router becomes deprecated or exploited.

Vulnerability Details

In _initStrategy(), the router address is hardcoded:
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L44

Key issues:

• The router address is immutable after deployment

• No management function exists to update the router address

• The contract grants unlimited approval (type(uint256).max) to this specific router address

• The hardcoded router address shows no activity for the past 20 days, while a new router contract has been deployed and is actively being used

The claimAndSwap function, which is critical for the strategy's operation, relies entirely on this router:
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L92

Impact

1. If the old router becomes deprecated, the strategy's claimAndSwap functionality would become inoperable

2. New router versions may include performance improvements or better pricing that the strategy cannot utilize

3. The unlimited approval granted to the old router contract remains in place indefinitely

4. Inability to access better pricing or new liquidity pools through the new router could result in suboptimal returns for strategy and it's users

Tools Used

Manual Review

Recommendations

Add Router Update Functionality: