Back to 0xTheC0der's contests

Canto Liquidity Mining Protocol - 0xTheC0der's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 03/10/2023

Pot Size: $24,500 USDC

Total HM: 6

Participants: 62

Period: 3 days

Judge: LSDan

Total Solo HM: 3

Id: 288

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 48/62

Findings: 1

Award: $4.94

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: adriro

Also found by: 0x3b, 0xAadi, 0xDING99YA, 0xTheC0der, 0xWaitress, 0xdice91, 100su, 3docSec, BRONZEDISC, BoRonGod, Eurovickk, GKBG, HChang26, IceBear, JP_Courses, MatricksDeCoder, Mike_Bello90, SovaSlava, Topmark, albahaca, cookedcookee, gzeon, hunter_w3b, kutugu, lukejohn, marqymarq10, matrix_0wl, orion, pep7siup, radev_sw, sces60107, taner2344, tpiliposian, wahedtalash77, xAriextz, zpan

Awards

4.9369 USDC - $4.94

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
Q-07

External Links

Link to GitHub issue

Low 1: Governance can set/change rewards of past weeks

The governance can arbitraritly set/change concentrated/ambient rewards for each week in the future and past, see setConcRewards(...) and setAmbRewards(...).
As a result, rewards of past weeks can be changed which leads to an unfair distribution of rewards among the users (liquidity providers) depending on whether they claimed their rewards before or after the change.
In order to enforce consistency, I suggest to only allow previously uninitialized rewards (value 0) to be set.

Low 2: Reward week is marked as claimed even though no rewards were claimed

If the overall liquidity is currently 0, see L181-L182 in claimConcentratedRewards(...) and L273-L276 in claimAmbientRewards(...), no rewards are sent for the given week while it's still accounted as claimed, see L190 and L283.
I suggest to move L190 and L283 into the if-block before in order to allow users to retry claiming their rewards once overall liquidity is > 0 again.

Non-critical 1: Limited protocol lifetime due to usage of uint32 for Unix timestamps

The Unix timestamps in seconds, e.g. the week timestamp, are given as uint32. This limits the protocol lifetime to year 2106 which is within a human lifetime from now, see Time formatting and storage bugs.

Non-critical 2: Begin of new reward week is a Thursday

Since week timestamps must be whole multiples of the seconds in a week, see L67 & L76, and Unix timestamp 0 (block.timestamp) is a Thursday, every new reward week will begin on a Thursday (neglecting leap seconds).
I suggest adding an offset such that new reward weeks begin on Mondays and therefore align with the calendar.

Side note for the sponsor about storage layout (not in scope)

The storage layout contract in the CrocSwap repo doesn't reflect the storage additions of the Canto sidecar storage yet.
Currently there are no conflicts, but please make sure to merge your storage additions into the CrocSwap repo before other sidecars with new storage variables are added to the layout.

#0 - 141345

2023-10-09T01:44:25Z

Low-1 is dup of https://github.com/code-423n4/2023-10-canto-findings/issues/81

#1 - c4-pre-sort

2023-10-09T17:21:16Z

141345 marked the issue as sufficient quality report

#2 - c4-judge

2023-10-18T22:43:18Z

dmvt marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter