[Lines of code](https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L65> <https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74)
Contract Reward distribution can be drained / manipulated
For setConcRewards() and setAmbRewards(), they are both lack of proper access restrictions, leads to the situation that anyone can execute these functions. This oversight presents a serious security lapse and creates a window for potential fund misappropriation from the smart contract.
Also, there is risk of potential front run users during claims by manipulating the weekly rewards to 0, losing rewards.
Manual Review
Consider adding those requirements check back to the functions.
function setConcRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
require(msg.sender == governance_, "Only callable by governance");
require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
while (weekFrom <= weekTo) {
concRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
weekFrom += uint32(WEEK);
}
}
function setAmbRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
require(msg.sender == governance_, "Only callable by governance");
require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
while (weekFrom <= weekTo) {
ambRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
weekFrom += uint32(WEEK);
}
}
Invalid Validation
The text was updated successfully, but these errors were encountered:
All reactions