search

code-423n4 / 2023-10-canto-findings

0 stars 1 forks source link

Anyone can modify concentrated ambient mining reward #160

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74-L75

Vulnerability details

Impact

LiquidityMiningPath.setAmbRewards lack access control and allow anyone to modify the ambient liquidity mining reward

Proof of Concept

https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74-L75

    function setAmbRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
        // require(msg.sender == governance_, "Only callable by governance");

Assuming an attack own x% of the pool, the attacker can increase the weekly reward to 100/x of the available balance in the contract to drain all the token.

Recommended Mitigation Steps

Uncomment L75

Assessed type

Access Control

c4-pre-sort commented 1 year ago

141345 marked the issue as duplicate of #4

c4-pre-sort commented 1 year ago

141345 marked the issue as sufficient quality report

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Invalid