Submission Details
Severity:
The Old Router Can Withdraw Funds
Github link
https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyArb.sol#L44
https://github.com/Cyfrin/2024-12-alchemix/blob/main/src/StrategyOp.sol#L50
Summary
Changing routers does not clear the approval values from the previous router.
Vulnerability Details
StrategyArb.sol
function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
Impact
The old router can withdraw this contract's funds from underlying.
Tools Used
Manual Review
Recommendations
function setRouter(address _router) external onlyManagement {
+ underlying.safeApprove(router, 0);
router = _router;
underlying.safeApprove(router, type(uint256).max);
}
Updates
Appeal created
inallhonesty 5 months ago
Submission Judgement Published Assigned finding tags:
Old router approval is not revoked after an update
inallhonesty 5 months ago
Submission Judgement Published Assigned finding tags:
Old router approval is not revoked after an update
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.