Lack of proper access restrictions on functions `setConcRewards()` and `setAmbRewards()`

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L65 https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74

Vulnerability details

Impact

Contract Reward distribution can be drained / manipulated

Proof of Concept

For setConcRewards() and setAmbRewards(), they are both lack of proper access restrictions, leads to the situation that anyone can execute these functions. This oversight presents a serious security lapse and creates a window for potential fund misappropriation from the smart contract. Also, there is risk of potential front run users during claims by manipulating the weekly rewards to 0, losing rewards.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider adding those requirements check back to the functions.

function setConcRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
    require(msg.sender == governance_, "Only callable by governance");
    require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
    while (weekFrom <= weekTo) {
        concRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
        weekFrom += uint32(WEEK);
    }
}

function setAmbRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
    require(msg.sender == governance_, "Only callable by governance");
    require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
    while (weekFrom <= weekTo) {
        ambRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
        weekFrom += uint32(WEEK);
    }
}

Assessed type

Invalid Validation

[c4-pre-sort]

141345 marked the issue as duplicate of #4

[c4-pre-sort]

141345 marked the issue as sufficient quality report

[c4-judge]

dmvt marked the issue as unsatisfactory: Invalid