However, the given allowances are only removed by calling StrategyPassiveManagerVelodrome::panic or StrategyPassiveManagerVelodrome::setUnirouter functions. Without calling these two functions, the protocol owner could set a new reward pool address but the old one still has permission to spend the output token at will.
Impact
The old reward pool contract will continue to have ERC20 token approvals for StrategyPassiveManagerVelodrome so it can continue to spend the output tokens when this is not intended by the protocol.
Code Snippet
N/A
Tool used
Manual Review
Recommendation
It's recommended to remove all allowances on the output token of the old reward pool contract before changing to the new one.
befree3x
medium
Old
rewardPool
address keeps having full permission to spendoutput
token when new reward pool is setSummary
StrategyPassiveManagerVelodrome
givesoutput
token allowances torewardPool
but doesn't remove allowance when new reward pool is configured.Vulnerability Detail
StrategyPassiveManagerVelodrome
gives full allowance torewardPool
inside the function_giveAllowances
:A new reward pool can be set by the owner, as described below.
However, the given allowances are only removed by calling
StrategyPassiveManagerVelodrome::panic
orStrategyPassiveManagerVelodrome::setUnirouter
functions. Without calling these two functions, the protocol owner could set a new reward pool address but the old one still has permission to spend theoutput
token at will.Impact
The old reward pool contract will continue to have ERC20 token approvals for
StrategyPassiveManagerVelodrome
so it can continue to spend theoutput
tokens when this is not intended by the protocol.Code Snippet
N/A
Tool used
Manual Review
Recommendation
It's recommended to remove all allowances on the
output
token of the old reward pool contract before changing to the new one.Duplicate of #3