Closed code423n4 closed 1 year ago
JeffCX marked the issue as low quality report
So an attacker can pass in a malicious lptDenom string that would cause the function to return a non-existent liquidity pool.
report does not show how an attacker can pass in a malicious lptDenom string
0xean marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/coinswap/keeper/pool.go#L82
Vulnerability details
Impact
To check if the lptDenom string is valid The GetPoolByLptDenom function in the keeper package do that job so that is the problem, So an attacker can pass in a malicious lptDenom string that would cause the function to return a non-existent liquidity pool. If an attacker is able to create fake liquidity pools, they could defraud users who are trying to swap tokens. This could lead to the loss of tokens for users, and it could also damage the reputation of the coinswap protocol
Proof of Concept
attacker can create a fake liquidity pool that appears to be for the token "USDC". the malicious lptDenom string would actually be for the token "USDC1". When users try to swap tokens for this fake liquidity pool, they would lose their tokens.
package main
import ( "fmt"
)
func main() { // Create a malicious lptDenom string. lptDenom := "USDC1"
}
This will create a malicious lptDenom string and call the GetPoolByLptDenom function. If the bug is present, the pool will be nil
Tools Used
Manual review Vs code
Recommended Mitigation Steps
add a check to the GetPoolByLptDenom function to verify that the lptDenom string is valid. This can be done by calling the ValidateLptDenom function before returning the liquidity pool
Assessed type
Other