search

code-423n4 / 2023-06-canto-findings

1 stars 0 forks source link

If amount sent is smaller than autoSwapThresold, auto-replenishment of CANTO is skipped. #35

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-canto/blob/ae1c2abd2416595b0bdd4b0ce8b2df913b35b3ec/Canto/x/onboarding/keeper/ibc_callbacks.go#L87-L108

Vulnerability details

    autoSwapThreshold := k.GetParams(ctx).AutoSwapThreshold
    swapCoins := sdk.NewCoin(standardDenom, autoSwapThreshold)
    standardCoinBalance := k.bankKeeper.SpendableCoins(ctx, recipient).AmountOf(standardDenom)
    swappedAmount := sdk.ZeroInt()

    ...
        if standardCoinBalance.LT(autoSwapThreshold) {
                swappedAmount, err = k.coinswapKeeper.TradeInputForExactOutput
                (ctx, coinswaptypes.Input{Coin: transferredCoin, Address: recipient.String()}, coinswaptypes.Output{Coin: swapCoins, Address: recipient.String()})
        }
    ...

Proof of Concept

Let's imagine a situation like this.

For example, A user has 2.5 CANTO in his address and wants to send USDC with amount of 3 CANTO if swapped.

Replenishment of 1.5 CANTO to achieve minimum thresold is required and possible.

But amount sent(3 CANTO) is smaller than thresold(4 CANTO), swapping is skipped.

Impact

If replenishment of CANTO is skipped, account may be run out of gas.

Recommendation

When amount sent is smaller than autoSwapThresold, swap should be performed but with TradeExactInputForOutput function instead.

https://github.com/code-423n4/2023-06-canto/blob/ae1c2abd2416595b0bdd4b0ce8b2df913b35b3ec/Canto/x/onboarding/keeper/ibc_callbacks.go#L93

        if standardCoinBalance.LT(autoSwapThreshold) {
+           if transferredCoin.Amount.GTE(autoSwapThreshold) {
                swappedAmount, err = k.coinswapKeeper.TradeInputForExactOutput
                (ctx, coinswaptypes.Input{Coin: transferredCoin, Address: recipient.String()}, 
                coinswaptypes.Output{Coin: swapCoins, Address: recipient.String()})
+           else {
+                swappedAmount, err = k.coinswapKeeper.TradeExactInputForOutput
+               (ctx, coinswaptypes.Input{Coin: transferredCoin, Address: recipient.String()}, 
+               coinswaptypes.Output{Coin: swapCoins, Address: recipient.String()})
+           }
        }

Assessed type

Other

c4-pre-sort commented 1 year ago

JeffCX marked the issue as duplicate of #87

c4-judge commented 1 year ago

0xean changed the severity to QA (Quality Assurance)