Missing access control in `setAmbRewards` and `setConcRewards` functions of `LiquidityMiningPath.sol`. Malicious user can call them and increase the reward by passing `poolIdx` for his pool.

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L65-L81

Vulnerability details

Impact :

There is no access control implemented in setAmbRewards and setConcRewards functions. concRewardPerWeek_ and ambRewardPerWeek_ mapping can be changed for any poolIdx and can exploit the protocol by getting maximum possible rewards by setting them.

POC :

Vulnerable Code :contracts/callpaths/LiquidityMiningPath.sol#L65-L81

    function setConcRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
         // require(msg.sender == governance_, "Only callable by governance");
         require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
         while (weekFrom <= weekTo) {
            concRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
            weekFrom += uint32(WEEK);
         }
     }

    function setAmbRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
        // require(msg.sender == governance_, "Only callable by governance");
        require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
        while (weekFrom <= weekTo) {
            ambRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
            weekFrom += uint32(WEEK);
        }
    }

Tools Used

Manual Review

Recommended Mitigation Steps :

1. Add proper access control on setAmbRewards and setConcRewards functions of LiquidityMiningPath.sol so that only protocol admin/governance can call this to change the rewards.

Assessed type

Access Control

[c4-pre-sort]

141345 marked the issue as duplicate of #4

[c4-pre-sort]

141345 marked the issue as sufficient quality report

[c4-judge]

dmvt marked the issue as unsatisfactory: Invalid