Back to BoRonGod's contests

Canto Liquidity Mining Protocol - BoRonGod's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 03/10/2023

Pot Size: $24,500 USDC

Total HM: 6

Participants: 62

Period: 3 days

Judge: LSDan

Total Solo HM: 3

Id: 288

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 57/62

Findings: 1

Award: $4.94

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: adriro

Also found by: 0x3b, 0xAadi, 0xDING99YA, 0xTheC0der, 0xWaitress, 0xdice91, 100su, 3docSec, BRONZEDISC, BoRonGod, Eurovickk, GKBG, HChang26, IceBear, JP_Courses, MatricksDeCoder, Mike_Bello90, SovaSlava, Topmark, albahaca, cookedcookee, gzeon, hunter_w3b, kutugu, lukejohn, marqymarq10, matrix_0wl, orion, pep7siup, radev_sw, sces60107, taner2344, tpiliposian, wahedtalash77, xAriextz, zpan

Awards

4.9369 USDC - $4.94

Labels

bug
downgraded by judge
grade-b
QA (Quality Assurance)
sponsor disputed
sufficient quality report
Q-14

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/mixins/LiquidityMining.sol#L192-L195

Vulnerability details

Impact

Due to the expensive gas fees in Ethereum mainnet and the involvement of many status updates in the reward collection workflow, users with smaller liquidity volume may encounter situations where gas fees exceed the reward amount during the process of applying for liquidity rewards.

Proof of Concept

rewardsToSend is calculated below without value check:

uint256 rewardsToSend;
    for (uint256 i; i < weeksToClaim.length; ++i) {
        uint32 week = weeksToClaim[i];
        require(week + WEEK < block.timestamp, "Week not over yet");
        require(
            !concLiquidityRewardsClaimed_[poolIdx][posKey][week],
            "Already claimed"
        );
        uint256 overallInRangeLiquidity = timeWeightedWeeklyGlobalConcLiquidity_[poolIdx][week];
        if (overallInRangeLiquidity > 0) {
            uint256 inRangeLiquidityOfPosition;
            for (int24 j = lowerTick + 10; j <= upperTick - 10; ++j) {
                inRangeLiquidityOfPosition += timeWeightedWeeklyPositionInRangeConcLiquidity_[poolIdx][posKey][week][j];
            }
            // Percentage of this weeks overall in range liquidity that was provided by the user times the overall weekly rewards
            rewardsToSend += inRangeLiquidityOfPosition * concRewardPerWeek_[poolIdx][week] / overallInRangeLiquidity;
        }
        concLiquidityRewardsClaimed_[poolIdx][posKey][week] = true;
    }
    if (rewardsToSend > 0) {
        (bool sent, ) = owner.call{value: rewardsToSend}("");
        require(sent, "Sending rewards failed");
    }

Tools Used

manual check

Maybe a minimum reward limit can be added.

Assessed type

Payable

#0 - 141345

2023-10-08T09:20:10Z

the msg.sender can check it before claiming.

QA might be more appropriate

#1 - c4-pre-sort

2023-10-09T16:59:42Z

141345 marked the issue as sufficient quality report

#2 - OpenCoreCH

2023-10-11T11:03:31Z

We do not plan to deploy on ETH mainnet. But in general, nobody is forced to claim rewards (and the user can specify the weeks, so they can simply skip the ones with little rewards)

#3 - c4-sponsor

2023-10-11T11:03:37Z

OpenCoreCH (sponsor) disputed

#4 - c4-judge

2023-10-18T22:16:14Z

dmvt changed the severity to QA (Quality Assurance)

#5 - c4-judge

2023-10-18T22:56:26Z

dmvt marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter