Router update fails to remove all the previous token allowances of StrategyOp and StrategyArb from the previous router implementation.
Router update fails to remove all the previous token allowances of StrategyOp and StrategyArb from the previous router implementation.
StrategyOp safe approves all of it's underlying token to the router
StrategyArb safe approves all of it's underlying token to the router
setRouter function can be used to update the router implementation at will by the managment
Files:
-
function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
The Strategy contract at no point in time removes the allowances from the old router. This results in old router instances still having spending rights on the respective Strategies underlying tokens.
Impact
Old router instances still have spending routes over the Strategies respective tokens and given that, some of these routers are upgreadable, it opens a potential door through which the protocol or a devious hacker can rug pull everyone if they have access to the old router admin rights.
Recommended Mitigation
We should remove the allowances of the old router before updating it in the setRouter function
Appeal created
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.