Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

Hardcoded ICurveRouterNG Address

maglov

Summary

The _initStrategy function within the StrategyMainnet contract hardcodes the address for the ICurveRouterNG router. This approach introduces potential risks and reduces flexibility in adapting to infrastructure changes or security vulnerabilities in the Curve Router.

Vulnerability Details

  • Code Snippet:

    function _initStrategy() internal {
    @> router = ICurveRouterNG(0xF0d4c12A5768D806021F80a262B4d39d26C58b8D);
    underlying.safeApprove(address(router), type(uint256).max);
    }

Impact

  • If the hardcoded Curve Router address becomes deprecated, compromised, or incorrect, the strategy's functionality may break, requiring a full redeployment of the contract.

  • There is no mechanism to validate or update the hardcoded address post-deployment, which limits the adaptability of the contract.

  • A compromised or deprecated router could expose the strategy to potential exploits or loss of funds.

Tools Used

VSCODE, Manual Review

Recommendations

Introduce configurability and validation mechanisms for the Curve Router address.

  • Configurable Router Address: Add a function to allow the management to update the router address with proper access control:

function setRouter(address _router) external onlyManagement {
require(_router != address(0), "Invalid address");
router = ICurveRouterNG(_router);
underlying.safeApprove(address(router), type(uint256).max);
emit RouterUpdated(address oldRouter, address newRouter);
}
Updates

Appeal created

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Cannot Set A New Router In `StrategyMainnet.sol`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.