Missing approval revocation puts strategy's funds at a unnecessary risk
Summary
The Arb/Op strategy's setRouter function grants max approval to new router without revoking approval from the previous one. This allows previously-used routers to retain permission to spend the strategy's underlying tokens indefinitely, increasing the risk surface if any historical router becomes compromised.
Vulnerability Details
When changing the router used for swapping underlying to asset, strategy contract grants approval to the new router, but does not revoke approval from the old router:
This creates a situation where multiple routers get max spending permissions:
Initial router gets max approval at deployment
If router is changed, new router gets max approval while old router retains its approval
Each router change adds another max approval without removing previous ones
If any previously approved router contract is found to have vulnerabilities or becomes compromised, it could drain the strategy's underlying tokens even though it's not being used actively by the protocol.
Impact
If any of the historical routers gets compromised (or is found to contain a vulnerability), the impact can be loss of underlying tokens held by the strategy.
Tools Used
Manual review
Recommendations
Revoke the old router's approval before setting the new one:
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.