Canto Liquidity Mining Protocol - lukejohn's results

Lines of code

https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L65-L81

Vulnerability details

Impact

Detailed description of the impact of this finding. LiquidityMiningPath.setConcRewards() fails to check to ensure that weekFrom > timeWeightedWeeklyGlobalConcLiquidityLastSet_[poolIdx]. Similarly, LiquidityMiningPath.setAmbRewards() fails to check to ensure that weekFrom > timeWeightedWeeklyGlobalAmbLiquidityLastSet_[poolIdx]. As a result, if these two constraints are violated, then weekly reward rate is set for PAST weeks that are smaller than lastAccrued time point. Therefore, these rewards will never be distributed since they are already in the past of lastAccrued.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

LiquidityMiningPath.setConcRewards() allows one to set the weekly reward rate for a range of weeks. However, it is important to ensure that this range of weeks are in the future of the lastAccrued time, which is timeWeightedWeeklyGlobalConcLiquidityLastSet_[poolIdx].

https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L65-L72

Otherwise, if the weeks are already past by timeWeightedWeeklyGlobalConcLiquidityLastSet_[poolIdx], then the rewards for them cannot be distributed anymore. See function LiquidityMining. accrueConcentratedGlobalTimeWeightedLiquidity(), which will accrue since lastAccrued.

https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L39-L65

Similarly, LiquidityMiningPath.setAmbRewards() fails to check to ensure that weekFrom > timeWeightedWeeklyGlobalAmbLiquidityLastSet_[poolIdx]:

https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/callpaths/LiquidityMiningPath.sol#L74-L81

Therefore, it is possible the user is funding for a past week that has been passed by timeWeightedWeeklyGlobalAmbLiquidityLastSet_[poolIdx]. Then, the function LiquidityMining.accrueAmbientGlobalTimeWeightedLiquidity() will not accrue for the weeks since the function accrue rewards since lastAccrued - timeWeightedWeeklyGlobalAmbLiquidityLastSet_[poolIdx].

https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L198-L222

Tools Used

VSCode

Recommended Mitigation Steps

Check both weekFrom > timeWeightedWeeklyGlobalConcLiquidityLastSet_[poolIdx] and weekFrom > timeWeightedWeeklyGlobalAmbLiquidityLastSet_[poolIdx].

function setConcRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
+       lastAccrued = timeWeightedWeeklyGlobalConcLiquidityLastSet_[poolIdx];

        // require(msg.sender == governance_, "Only callable by governance");
        require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
        while (weekFrom <= weekTo) {
+            require(weekFrom > lastAccrued, "the week is in the past.");
            concRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
            weekFrom += uint32(WEEK);
        }
    }

    function setAmbRewards(bytes32 poolIdx, uint32 weekFrom, uint32 weekTo, uint64 weeklyReward) public payable {
+       lastAccrued = timeWeightedWeeklyGlobalAmbLiquidityLastSet_[poolIdx]

        // require(msg.sender == governance_, "Only callable by governance");
        require(weekFrom % WEEK == 0 && weekTo % WEEK == 0, "Invalid weeks");
        while (weekFrom <= weekTo) {
+           require(weekFrom > lastAccrued, "the week is in the past.");
            ambRewardPerWeek_[poolIdx][weekFrom] = weeklyReward;
            weekFrom += uint32(WEEK);
        }
    }

Assessed type

Invalid Validation