Canto Liquidity Mining Protocol - 0x3b's results

Lines of code

https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/mixins/LiquidityMining.sol#L188

Vulnerability details

Impact

Due to the nature of how both claimConcentratedRewards and claimAmbientRewards work, if the DAO changes the rewards ratio before the week is over, the whole rewards for the week are gonna be changed. Current changes to the system effect past rewards.

Proof of Concept

claimConcentratedRewards calculates the rewards based on concRewardPerWeek_ index. Users accrue timeWeightedWeeklyPositionInRangeConcLiquidity_ which is multiplyed by concRewardPerWeek_ and devided by the total liquidity staked.

rewardsToSend += inRangeLiquidityOfPosition * concRewardPerWeek_[poolIdx][week] / overallInRangeLiquidity;

After the week is over they are able to call claimConcentratedRewards and claim all of the rewards they have generated. However if the governance executes a call to setConcRewards and changes the rewards mid week, all of the previous rewards that were generated for the current week will change.

Example:

1. Rewards are 1 canto for 1 ETH staked per week.
2. Alice stakes 7 ETH, and she is expecting the reward for the current week to be 7 canto.
3. It is Sunday afternoon and Alice has generated ~6.5 canto, because she staked 7 ETH for 6.5 days.
4. The governance changes the rewards to be 0.5 canto for 1 ETH staked per week.
5. When the week is over, Alice calls claimConcentratedRewards, however she claims 3.5 canto instead of ~ 6.75 (6.5 for the period 1 canto for 1 eth, and 0.25 for the period 0.5 canto for 1 eth).

Tools Used

Manual review.

Recommended Mitigation Steps

This issue revolves around the the structure of how rewards are calculated and that current changes to the system effect past rewards. I am not able to give the right suggestion, as I am not aware of how the rest of the system works, and my suggestion might cause more harm the good, so I will leave it to the devs.

Assessed type

Math