Approval Not Revoked When Router Is Changed
Summary
When the router address is updated via setRouter, the old router's approval is not revoked before approving the new router. This means old routers retain their approval to spend the strategy's underlying tokens indefinitely.
Vulnerability Details
In both StrategyArb.sol and StrategyOp.sol, the setRouter function simply approves the new router without revoking the old approval:
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L42-L45
https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L48-L51
The issue arises because:
Each router change adds a new max approval
Old approvals are never revoked
This accumulates unnecessary approvals over time
If a previous router is compromised, it could still access the strategy's tokens
Impact
If an old router contract is compromised, attacker could:
Drain approved underlying tokens from the strategy
Execute malicious swaps using the strategy's tokens
The risk increases with each router change as more approvals accumulate
Even if old routers are sunset, their approvals persist
Tools Used
Manual Review
Recommendations
Revoke the old router's approval before setting the new one:
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.