Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: low

Valid

Approval for old router is not revoked

fourb

Summary

When management calls `setRouter()` with intends to change router being used by protocol, The uint256.max approval given to the old router is not revoked but it should be since it has been changed

Vulnerability Details

In StrategyOp::setRouter and StrategyArb::setRouter the function is being implemented as below

function setRouter(address _router) external onlyManagement {

router = _router;

underlying.safeApprove(router, type(uint256).max);

}

So from this function we can see that management has the potential to change the router in use
However, as said in the previous section, whenever a new router is set the allowance of the old router is not revoked and this can lead to complications since approval is set to uint256 max.

Impact

Old router still has max approval and can be abused

Tools Used

manual review

Recommendations

Revoke approval of old router

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Old router approval is not revoked after an update

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Old router approval is not revoked after an update

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.