Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Valid

setRouter should set old router allowance back to 0, especially when dealing with upgradables

auditism

Summary

When setting a new route, the new route allowance is set to type(uint256).max, however the old route allowance is kept at uint256.max as well. Because the approved address is an upgradable contract it would be wiser to reduce its allowance to 0 when moving on to a new router.

Vulnerability Details

As described above when setting a new router, the old router still has uint256.max this poses a threat as that current allowed contract is upgradable and if it becomes malicious there are no ways to reduce its current allowance.

//StrategyArb.sol
function _initStrategy() internal {
router = 0xAAA87963EFeB6f7E0a2711F397663105Acb1805e; //<- is upgradable
underlying.safeApprove(address(router), type(uint256).max);
}
function setRouter(address _router) external onlyManagement {
router = _router;
underlying.safeApprove(router, type(uint256).max); // new router allowance
// ! Old router allowance remains at type(uint256).max !
}

Impact

In the scenario where a malicious upgrade is made, assets left on the contract can be siphoned away.

Tools Used

Manual review

Recommendations

Consider at least removing the allowance when moving to a new implementation.

function setRouter(address _router) external onlyManagement {
+ address oldRouter = router
router = _router;
underlying.safeApprove(router, type(uint256).max); // new router allowance
+ underlying.safeApprove(oldRouter, 0);
}
Updates

Appeal created

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Old router approval is not revoked after an update

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.