Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

Incompatibility with Tokens That Implement Approval Race Protection

hi_there

Summary

The setRouter function in contract StrategyArb & StrategyOp has a vulnerability related to repeated token approvals. it does not reset the existing token allowance to zero before setting a new approval for the router. This causes compatibility issues with ERC20 tokens that enforce the requirement to reset allowance to zero before changing it, such as USDT.
Apart from usdt, the previous router approval should be made to zero before setting an new router

If this function is called multiple times with a new router address, the token approval mechanism may fail, making it impossible to update the router or interact with certain tokens.

Vulnerability Details

The setRouter function does not reset the existing token allowance to zero before approving a new router.

Some tokens such as USDT, include an approval race protection mechanism, requiring the allowance to be set to 0 before calling the approve function again.

Impact

calls to setRouter can fail

Tools Used

manual review

Recommendations

function setRouter(address _router) external onlyManagement {
// Reset existing allowance
+ underlying.approve(router, 0);
router = _router;
underlying.approve(router, type(uint256).max);
}

  • Medium: because the old/previous router has access to all the tokens.

Updates

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
hi_there Submitter
7 months ago
inallhonesty Lead Judge
7 months ago
inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.