Lines of code
<https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L156-L168>
There donβt seem to be protections against a malicious actor griefing others by manipulating the global liquidity accounting. This could potentially block honest users from claiming their earned rewards.
The main risk of griefing by manipulating global liquidity accounting stems from this function:
function accrueConcentratedGlobalTimeWeightedLiquidity
function accrueConcentratedGlobalTimeWeightedLiquidity(
bytes32 poolIdx,
CurveMath.CurveState memory curve
) internal {
// Accumulates global time-weighted liquidity
}
The issue is this function can be called by any user at any time. There is no access control.
An attacker could exploit this by:
Calling accrueConcentratedGlobalTimeWeightedLiquidity with manipulated curve liquidity data right before honest users try to claim rewards
This distorts the global accounting that reward calculations rely on
Honest users end up claiming smaller % of rewards due to griefing
A more in-depth explanation for the griefing attack would be very helpful here.
function accrueConcentratedGlobalTimeWeightedLiquidity(
bytes32 poolIdx,
CurveMath.CurveState memory curve
) internal {
// Accumulates global time-weighted liquidity
// Based on curve.concLiq_
}
function claimConcentratedRewards(
address owner,
bytes32 poolIdx,
// ...
) internal {
accrueConcentratedGlobalTimeWeightedLiquidity(poolIdx, curve)
// Calculate rewards based on global liquidity accounting
}
function claimConcentratedRewards
The griefing attack works as follows:
Honest user has been accruing rewards for 1 week based on depositing 100 ETH in pool liquidity
Attacker has small portion of pool liquidity
When honest user tries to claim rewards:
3a. Attacker calls accrueConcentratedGlobalTimeWeightedLiquidity with a manipulated curve.concLiq_ value of 10 ETH
3b. This results in a very low global liquidity for the week right before claim
Honest userβs rewards claim calculates percentage based on the distorted global liquidity
Honest user gets only a small portion of the intended rewards due to griefing
Vs
To prevent this, accrueConcentratedGlobalTimeWeightedLiquidity should check:
require(msg.sender == contractOwner, "Only owner can call");
This would ensure only the owner can accumulate global liquidity, preventing manipulation.
Access Control
The text was updated successfully, but these errors were encountered:
All reactions