Token Approval on Previous Router Not Revoked in `setRouter` function
Title
Token Approval on Previous Router Not Revoked in setRouter function
Summary
In the setRouter function, the step to revoke the allowance of the previous router is not implemented. This omission could result in unintended scenarios where the remaining allowance permits the previous router to withdraw funds from the strategy, potentially leading to fund mismanagement or exploitation.
Vulnerability Details
StrategyOp and StrategyArb contracts have setRouter function to update router address and gives allowance.
Here's the implementation of setRouter function in StrategyOp contract:
As seen above, the function merely updates the router address and grants allowance to the new router.
However, it fails to revoke the allowance on the previous router, leaving it with the ability to interact with the strategy contracts. This oversight could result in unintended scenarios, such as the previous router retaining control over the funds, potentially leading to unauthorized draining or loss of protocol funds.
Impact
The failure to revoke allowance from the previous router may result in unauthorized access to strategy funds, potentially leading to fund mismanagement or loss.
Tools Used
Manual Review
Recommendations
It is recommended to update the setRouter function to include a step that explicitly revokes the allowance of the previous router before granting allowance to the new router, ensuring no unauthorized access to strategy funds and mitigating the risk of fund mismanagement or loss.
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.