[Lines of code](https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L65&gt; <https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74)

Vulnerability details

Impact

Contract Reward distribution can be drained / manipulated

Proof of Concept

For setConcRewards() and setAmbRewards(), they are both lack of proper access restrictions, leads to the situation that anyone can execute these functions. This oversight presents a serious security lapse and creates a window for potential fund misappropriation from the smart contract.
Also, there is risk of potential front run users during claims by manipulating the weekly rewards to 0, losing rewards.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider adding those requirements check back to the functions.

function setConcRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
    require(msg.sender == governance_, "Only callable by governance");
    require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
    while (weekFrom <= weekTo) {
        concRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
        weekFrom += uint32(WEEK);
    }
}


function setAmbRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
    require(msg.sender == governance_, "Only callable by governance");
    require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
    while (weekFrom <= weekTo) {
        ambRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
        weekFrom += uint32(WEEK);
    }
}

Assessed type

Invalid Validation

The text was updated successfully, but these errors were encountered:

All reactions