Open c4-submissions opened 11 months ago
141345 marked the issue as duplicate of #4
141345 marked the issue as not a duplicate
141345 marked the issue as duplicate of #81
141345 marked the issue as sufficient quality report
dmvt changed the severity to QA (Quality Assurance)
dmvt marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L65 https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74
Vulnerability details
Impact
The setConcRewards() and setAmbRewards() functions are public functions that lack checks on weekFrom and weekTo, allowing anyone to set past dates.
Proof of Concept
https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L65
https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74
Tools Used
Recommended Mitigation Steps
Ensure that weekFrom is greater than or equal to block.timestamp.
Assessed type
Timing