Any user can call the setAmbRewards and setAmbRewards functions and set their values for weeklyReward, which opens up many attack vectors. For example, it is possible to set a large reward and withdraw all funds from the protocol.
function setConcRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
// require(msg.sender == governance_, "Only callable by governance");
require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
while (weekFrom <= weekTo) {
concRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
weekFrom += uint32(WEEK);
}
}
function setAmbRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
// require(msg.sender == governance_, "Only callable by governance");
require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
while (weekFrom <= weekTo) {
ambRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
weekFrom += uint32(WEEK);
}
}
In these two functions, the lines with require(msg.sender == governance_, โOnly callable by governanceโ); are commented out.
Accordingly, they will not be executed and the checks will not occur.
Any user can call the function and specify weeklyReward very large to withdraw all funds from the protocol.
Manual analysis
Remove the comment from the commented lines so that require(msg.sender == governance_, โOnly callable by governanceโ); is executed.
Access Control
The text was updated successfully, but these errors were encountered:
All reactions