Use _router as parameter in _setApprovals

[gpersoon]

Vulnerability details

The function _setApprovals() of ConvexStrategy.sol includes _router as a parameter, whereas MIMConvexStrategy.sol doesn't.

MIMConvexStrategy relies on router address being set by the constructor of BaseStrategy.sol.
This only works if router is not immutable.
Luckily it isn't immutable now but this might change in forks of the code.
Although this problem is fixed in Solidity 0.8.9 it is still safer to a add _router as parameter in _setApprovals

metavault/contracts/v3/strategies/ConvexStrategy.sol

Lines 65 to 75 in f91bee5

	function _setApprovals(
	address _want,
	address _crv,
	address _cvx,
	address _dai,
	address _usdc,
	address _usdt,
	address _convexVault,
	address _router,
	address _stableSwap3Pool
	) internal {

metavault/contracts/v3/strategies/MIMConvexStrategy.sol

Lines 82 to 90 in 6c3eac8

	function _setApprovals(
	address _want,
	address _crv,
	address _cvx,
	address _mim,
	address _crv3,
	address _convexVault,
	address _stableSwap2Pool
	) internal {

Recommended mitigation steps

Change _setApprovals() of MIMConvexStrategy.sol to:

function _setApprovals(
...
address _router,
..
) internal {
..
IERC20(_crv).safeApprove(address(_router), type(uint256).max); // make sure to use _router
IERC20(_cvx).safeApprove(address(_router), type(uint256).max); // make sure to use _router
}

[uN2RVw5q]

Although this problem is fixed in Solidity 0.8.9

@gpersoon What got fixed in 0.8.9?

[gpersoon]

The thing that got fixed in solidity 0.8.9 is that you can access immutable variables in the constructor.
In previous versions of solidity you cannot assign a value to an immutable variables and the access this variable.