The underlying asset approval value of the old router is not reset to zero when calling `setRouter`
Summary
The underlying asset approval value of router is set to type(uint256).max by default. When setting new router by calling setRouter, the underlying asset approval value of old router is not reset to zero.
Vulnerability Details
In constructor function, the _initStrategy function is called.
It approves router address with max underlying asset approval value.
The router address can be changed by calling setRouter.
In setRouter function, the old router's underlying asset approval value isn't reset to zero.
The default router for arb chain is 0xAAA87963EFeB6f7E0a2711F397663105Acb1805e (proxy contract).
The default router for op chain is 0xa062aE8A9c5e11aaA026fc2670B0D65cCc8B2858.
If the old router is proxy, malicious attacker can upgrade the implementation contract of proxy contract and steal funds in Strategy contract using max underlying asset approval.
Impact
The funds in Strategy contract may be lost.
Tools Used
manual
Recommendations
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.