Open code423n4 opened 1 year ago
JeffCX marked the issue as primary issue
The report points out a few missed input validation, while the impact is not clearly described, the thoughtful recommendation worth sponsor's review, the report itself is very QA though
All of these parameters such as white listed channels and auto swap threshold are values that can only be set through governance. As such it's really unlikely that the parameters will be invalid, since all param change proposals go through rigorous testing. I agree that this is more of a QA issue.
tkkwon1998 marked the issue as sponsor disputed
tkkwon1998 marked the issue as disagree with severity
meant to put disagree with severity, not sponsor disputed.
0xean changed the severity to QA (Quality Assurance)
0xean marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/main/Canto/x/onboarding/types/params.go#L89
Vulnerability details
Impact
Validate()
is missing the call tovalidateWhitelistedChannels
, which means anything could be injected in the whitelist channel which seems concerning.validateAutoSwapThreshold()
is allowing 0, which doesn't make sense and would effectivellydisable the swaping
in onboarding asif standardCoinBalance.LT(autoSwapThreshold)
would always be false.validateWhitelistedChannels()
is missing multiple verifications as it allows the following:While the impact on those seems Low/Medium, I'm reporting this as
Medium
as a whole as I feel it is more tilting toward it.Proof of Concept
Please see recommended section.
Tools Used
Go v1.20 and Goland IDE
Recommended Mitigation Steps
I would recommend to add the following code and test coverage which resolve the issues I'm reporting and also verify them.
CODE DIFF
UNIT TEST DIFF
Assessed type
Invalid Validation