Open c4-submissions opened 11 months ago
141345 marked the issue as duplicate of #163
not quite the same as https://github.com/code-423n4/2023-10-canto-findings/issues/163
this one focus on rug pull, rather than reward balance
141345 marked the issue as sufficient quality report
dmvt marked the issue as not a duplicate
dmvt marked the issue as primary issue
dmvt marked the issue as selected for report
OpenCoreCH (sponsor) acknowledged
Rewards will be set and sent in the same Canto governance proposal
Lines of code
https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L65 https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74
Vulnerability details
Impact
The owner of liquidity mining sidecar can pull the native coins that are stored in the CrocSwapDex to reward the users.
Proof of Concept
The
setConcRewards
andsetAmbRewards
functions doesn't check if the quoted amount of rewards are actually sent by the caller. This allows the owner to specify any total amount of native coin which available in the CrocSwapDex from which the funds will be used when distributing the rewards.https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L65C7-L72
https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74-L81
According to Ambient Docs they allow for deposits in native tokens.
Demo
Update TestLiquidityMining.js : The funds added using hardhat.setBalance() is being used by the owner to distribute rewards
@@ -243,6 +243,17 @@ describe("Liquidity Mining Tests", function () { BigNumber.from("999898351768") );
Assessed type
Rug-Pull