search

code-423n4 / 2023-10-canto-findings

0 stars 1 forks source link

Users can apply for rewards for the same week multiple times #195

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/mixins/LiquidityMining.sol#L177-L180

Vulnerability details

Impact

Function claimConcentratedRewards has insufficient inspection of whether an user has claimed reward for a week.

Proof of Concept

Function claimConcentratedRewards use the following code to check whether the reward has been repeatedly claimed:

require(
    !concLiquidityRewardsClaimed_[poolIdx][posKey][week],
    "Already claimed"
);

and posKey is assigned as encodePosKey(owner, poolIdx, lowerTick, upperTick), in which lowerTick and upperTick is passed in by user. However, in the whole workflow of claimConcentratedRewards, accrueConcentratedPositionTimeWeightedLiquidity can only accrues the in-range time-weighted concentrated liquidity for a position by going over the tick entry / exit history, so different lowerTick and upperTick(be a superset of the limit) can request for reward many times.

Tools Used

Mannual review

Recommended Mitigation Steps

use owner instead of posKey in the check

Assessed type

Invalid Validation

141345 commented 1 year ago

invalid

different lowerTick/upperTick will have 0 liquidity for the user

c4-pre-sort commented 1 year ago

141345 marked the issue as low quality report

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Invalid