Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: low

Valid

The `setRouter` doesn't handle previous router approval properly

godswillchiagorom20

Summary

This function setRouter is designed to update the router address used for swapping WETH (Wrapped Ether) to alETH.

Vulnerability Details

The setRouter function allows for the setting of a new router address and approves the router to spend an unlimited amount of the underlying asset. However, the previous router which is likely compromise or not in usage doesn't have its approval revoke allowing for malicious usage.
Recall that the previous router was initial approved to type(uint256).max. Approving type(uint256).max is a common practice in DeFi, but it does pose a risk if the router is compromised or behaves maliciously.

Impact

If the previous Router was compromised or is intended to no longer be in used, leaving the approval as it was pose a serious risk

Tools Used

Manual

Recommendations

Modify the function as thus:

/**

* @dev Sets the router address for swapping WETH to alETH.

* @param _router The address of the new router.

* NOTE: Only used if you want to upgrade the router.

function setRouter(address _router) external onlyManagement {

//@audit doesn't check if the router to update to is valid

// Step 1: Revoke approval for the previous router (if any)

address previousRouter = router;

if (previousRouter != address(0)) {

underlying.safeApprove(previousRouter, 0); // Revoke the previous router's allowance

}

// Step 2: Update the router to the new address

router = _router;

// Step 3: Approve the new router to spend the underlying asset (with max allowance)

underlying.safeApprove(router, type(uint256).max);

}

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Old router approval is not revoked after an update

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Old router approval is not revoked after an update

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.