Lines of code

Vulnerability details

Impact

Any user can call the setAmbRewards and setAmbRewards functions and set their values for weeklyReward, which opens up many attack vectors. For example, it is possible to set a large reward and withdraw all funds from the protocol.

Proof of Concept

function setConcRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
	// require(msg.sender == governance_, "Only callable by governance");
	require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
	while (weekFrom <= weekTo) {
		concRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
		weekFrom += uint32(WEEK);
	}
}

function setAmbRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
	// require(msg.sender == governance_, "Only callable by governance");
	require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
	while (weekFrom <= weekTo) {
		ambRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
		weekFrom += uint32(WEEK);
	}
}

In these two functions, the lines with require(msg.sender == governance_, “Only callable by governance”); are commented out.
Accordingly, they will not be executed and the checks will not occur.
Any user can call the function and specify weeklyReward very large to withdraw all funds from the protocol.

Tools Used

Manual analysis

Recommended Mitigation Steps

Remove the comment from the commented lines so that require(msg.sender == governance_, “Only callable by governance”); is executed.

Assessed type

Access Control

The text was updated successfully, but these errors were encountered:

All reactions