In `StrategyArb::setRouter` and `StartegyOp::setRouter` - When setting a new router address, the old router still has approval for type(uint256).max
Summary
Both contracts hardcode and initialize a router address upon deployment, and then safeApprovethat initial router for type(uint256).max. However, there is a function setRouter
Vulnerability Details
Both contracts hardcode and initialize a router address upon deployment, and then safeApprovethat initial router for type(uint256).max. However, there is a function setRouterthat allows management to change the routeraddress, thus the strategy will use the new router for any swaps. In addition, the newly set routeris given approval of type(uint256).max.
The old router, which is not used by the strategy anymore, will still have approval for type(uint256).maxof the strategies underlyingtoken. The approval for the old strategy is never set to 0 when it is changed, so there will be a router out there that will have full rights to spend ALL of the strategies underlyingtoken.
Impact
The old router which still has approval for type(uint256).maxwill be able to spend ALL of the strategies tokens, leaving the protocol at risk of losing funds.
Tools Used
Manual Review
Recommendations
In the setRouterfunction for both contracts, rescind the approval from the old router, and approve the old router for 0, before adding the new router and approving the new router for type(uint256).max.
Appeal created
Old router approval is not revoked after an update
Old router approval is not revoked after an update
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.