The StrategyOP
contract fails to revoke token approvals when updating the router address, potentially leaving lingering unlimited approvals on old router addresses.
The vulnerability stems from two design oversights:
No explicit approval management during router updates
Missing function to update router address safely
Current Implementation in _initStrategy
:
Here we approve type(uint256).max
amount of underlying tokens to router which is hardcoded.
The setRouter()
function is used to set another address as router by management in StategyOp.sol
but it doesn't revoke the approval of tokens to 0 of past router address.
Potential unauthorized access to underlying tokens
Multiple routers having simultaneous unlimited approvals
Risk of fund loss if old router is compromised
Implement proper router update function:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.