DeFiFoundrySolidity
16,653 OP
View results
Submission Details
Severity: low
Invalid

Hardcoded Router Address in Strategy Initialization Brings Issues in `safeApprove`, Redeployment and Testing

Summary

The _initStrategy function uses a hardcoded router address in the contracts of StrategyMainnet.sol, StrategyOp.sol, and StrategyArb.sol. While the inclusion of setter functions provides some flexibility, several risks persist, including deployment challenges, testing difficulties, etc.

Vulnerability Details

The hardcoded router address in the _initStrategy function limits the contracts of StrategyMainnet.sol, StrategyOp.sol, and StrategyArb.sol to a specific deployment environment.

Instead, the address should be parameterized to allow for dynamic assignment.

If the hardcoded address is not yet deployed or functional during contract initialization, the safeApprove call may fail.

src/StrategyArb.sol_initStrategy:#L36

function _initStrategy() internal {
router = 0xAAA87963EFeB6f7E0a2711F397663105Acb1805e;
underlying.safeApprove(address(router), type(uint256).max);
}

src/StrategyMainnet.sol:_initStrategy#L44

function _initStrategy() internal {
router = ICurveRouterNG(0xF0d4c12A5768D806021F80a262B4d39d26C58b8D);
underlying.safeApprove(address(router), type(uint256).max);
}

src/StrategyOp.sol:_initStrategy#L38

function _initStrategy() internal {
router = 0xa062aE8A9c5e11aaA026fc2670B0D65cCc8B2858;
underlying.safeApprove(address(router), type(uint256).max);
}

Atomicity Issues: Deployment errors in _initStrategy require a complete redeployment of the contract rather than a simple retry using a setter function.

Verification: Hardcoded addresses complicate code verification and require additional documentation to confirm their validity. Deployment across multiple environments (e.g., testnets) necessitates manual code changes, which can lead to inconsistencies.

Testing Limitations: Unit tests are hindered by fixed router addresses, making it difficult to simulate different scenarios and router behaviors. Integration tests require the exact address to exist on the test network, complicating the setup process.

Deployment and Upgrade Risks: Deployment failures caused by incorrect or unavailable addresses require redeployment, incurring additional gas costs. Setter functions cannot address issues arising during the initialization phase, necessitating redeployment.

Impact

  • Increased downtime or deployment retries due to initialization issues.

  • Potential financial loss from misconfigured or compromised router addresses.

  • Immutable hardcoded addresses remain vulnerable if exploited or deprecated.

  • Reduced test coverage and complexity in validating behaviors across environments.

Tools Used

Manual Review

Recommendations

Pass the router address as a parameter during contract deployment:

constructor(
address _asset,
address _transmuter,
address _router, // Router parameter
string memory _name
) BaseStrategy(_asset, _name) {
require(_router != address(0), "Invalid router address");
router = _router;
}
Updates

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.