Closed code423n4 closed 1 year ago
Technically valid, but the function is provided in another context as per the NATSPEC below;
This is a set of APIs for external parties/emission config owners to update their configs. They're
able to transfer ownership, update emission speeds, and update the end time for a campaign. Worth
noting, if the endTime is hit, no more rewards will be accrued, BUT you can call `_updateEndTime`
to extend the specified campaign - if the campaign has ended already, then rewards will start
accruing from the time of reactivation.
So it's the emission config owner's responsibility to check for the available assets which makes the submission falling into [M‑04] The owner is a single point of failure and a centralization risk
0xSorryNotSorry marked the issue as low quality report
Also, I assume that the config owner can add assets to be distributed at any time.
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L775
Vulnerability details
Impact
The function
_updateEndTime
(lines 775-810 inMultiRewardDistributor.sol
) does not validate if the rewards available in the contract would be enough after the extension of the campaign end time and the current emissions rate.If the emissions speed per second set in the current configuration is X tokens to the end time of the current campaign, the needed available amount of X tokens in the form of rewards would be
(End Time - block.timestamp) * Supply Emissions per Second
. For example, if presumably the end of the campaign is extended by 50%, the needed available rewards would be 50% more than the current disposable one, which would mislead the user to think that he/she would receive rewards to the end of the campaign.Proof of Concept
Tools Used
Manual VS code
Recommended Mitigation Steps
Create a validation for the available funds based on the emissions per second and the end time of the campaign.
Assessed type
Other