c4-pre-sort
commented
11 months ago 141345 marked the issue as duplicate of #4
Open c4-submissions opened 11 months ago
c4-pre-sort
commented
11 months ago 141345 marked the issue as duplicate of #4
c4-pre-sort
commented
11 months ago 141345 marked the issue as not a duplicate
c4-pre-sort
commented
11 months ago 141345 marked the issue as duplicate of #81
c4-pre-sort
commented
11 months ago 141345 marked the issue as sufficient quality report
c4-judge
commented
11 months ago dmvt changed the severity to QA (Quality Assurance)
c4-judge
commented
11 months ago dmvt marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L65 https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74
Vulnerability details
Impact
The setConcRewards() and setAmbRewards() functions are public functions that lack checks on weekFrom and weekTo, allowing anyone to set past dates.
Proof of Concept
https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L65
https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74
Tools Used
Recommended Mitigation Steps
Ensure that weekFrom is greater than or equal to block.timestamp.
Assessed type
Timing