Submission Details
Severity:
Revoke approve from previous router when set a new one
Summary
The StrategyArb and StrategyOp contracts approve type(uint256).max of the underlying tokens for the router but never revoke allowances when setting new routers.
Vulnerability Details
There are only approves for new routers but no revokes from old routers:
function _initStrategy() internal {
router = 0xa062aE8A9c5e11aaA026fc2670B0D65cCc8B2858;
>> underlying.safeApprove(address(router), type(uint256).max);
}
<...>
function _initStrategy() internal {
router = 0xAAA87963EFeB6f7E0a2711F397663105Acb1805e;
>> underlying.safeApprove(address(router), type(uint256).max);
}
<...>
function setRouter(address _router) external onlyManagement {
router = _router;
>> underlying.safeApprove(router, type(uint256).max);
}
Impact
This issue can cause asset losses in case the previous router address becomes malicious.
Tools used
Manual Review
Recommendations
Consider revoking allowances from previous routers when new routers are set.
Updates
Appeal created
inallhonesty 5 months ago
Submission Judgement Published Assigned finding tags:
Old router approval is not revoked after an update
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.