Back to Eurovickk's contests

Canto Liquidity Mining Protocol - Eurovickk's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 03/10/2023

Pot Size: $24,500 USDC

Total HM: 6

Participants: 62

Period: 3 days

Judge: LSDan

Total Solo HM: 3

Id: 288

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 49/62

Findings: 1

Award: $4.94

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: adriro

Also found by: 0x3b, 0xAadi, 0xDING99YA, 0xTheC0der, 0xWaitress, 0xdice91, 100su, 3docSec, BRONZEDISC, BoRonGod, Eurovickk, GKBG, HChang26, IceBear, JP_Courses, MatricksDeCoder, Mike_Bello90, SovaSlava, Topmark, albahaca, cookedcookee, gzeon, hunter_w3b, kutugu, lukejohn, marqymarq10, matrix_0wl, orion, pep7siup, radev_sw, sces60107, taner2344, tpiliposian, wahedtalash77, xAriextz, zpan

Awards

4.9369 USDC - $4.94

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
Q-08

External Links

Link to GitHub issue

https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/mixins/LiquidityMining.sol

1)Safety and Error Handling: In functions like claimConcentratedRewards and claimAmbientRewards, validate the owner address to prevent unauthorized access. You can add owner validation to functions like claimConcentratedRewards and claimAmbientRewards to prevent unauthorized access.

modifier onlyOwner(bytes32 poolIdx, address owner) { require(owner == msg.sender, "Unauthorized"); _; }

function claimConcentratedRewards( address payable owner, bytes32 poolIdx, int24 lowerTick, int24 upperTick, uint32[] memory weeksToClaim ) internal onlyOwner(poolIdx, owner) { // Function logic here }

function claimAmbientRewards( address owner, bytes32 poolIdx, uint32[] memory weeksToClaim ) internal onlyOwner(poolIdx, owner) { // Function logic here }

In this proof of concept:

We define a modifier called onlyOwner that takes the poolIdx and owner address as parameters. Inside the modifier, we use require to check if the owner address matches msg.sender. If they don't match, the "Unauthorized" error message is displayed, and the function call is reverted. We apply the onlyOwner modifier to the claimConcentratedRewards and claimAmbientRewards functions by using the onlyOwner(poolIdx, owner) syntax. Now, these functions will only execute if the caller's address matches the specified owner, preventing unauthorized access to claim rewards for positions that do not belong to the caller.

https://github.com/code-423n4/2023-10-canto/blob/main/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol

1)Payable Functions: Some functions are marked as payable, even though they do not handle msg.value. While this is not a critical issue, it's a good practice to remove the payable modifier from functions that don't interact with Ether to avoid any confusion.

2)Access Control: The setConcRewards and setAmbRewards functions are currently commented out with require statements to check for access control (msg.sender == governance_). You should clarify how access control is implemented and whether these functions should be accessible to specific addresses or roles.

#0 - c4-pre-sort

2023-10-09T17:21:17Z

141345 marked the issue as sufficient quality report

#1 - c4-judge

2023-10-18T23:06:43Z

dmvt marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter