For risk management purposes, a swap will fail if the input coin amount exceeds a pre-defined limit (10 USDC, 10 USDT, 0.01 ETH) or if the swap amount limit is not defined.
But in x/coinswap/types/params.go, the actual limit of ETH is 1*10e17 which is 0.1 ETH
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/main/Canto/x/coinswap/keeper/swap.go#L212 https://github.com/code-423n4/2023-06-canto/blob/main/Canto/x/coinswap/types/params.go#L34
Vulnerability details
Impact
In the spec, the pre-defined limit of ETH is 0.01 ETHs. But the actual limit in the code is not 0.01 ETH which could result in misleading.
Proof of Concept
In the spec, it said that the pre-defined limit of ETH is 0.01 ETHs https://github.com/code-423n4/2023-06-canto/blob/main/README.md#swap
But in
x/coinswap/types/params.go
, the actual limit of ETH is 1*10e17 which is 0.1 ETHThe limit is used in
swap.GetMaximumSwapAmount
. Wrong could harm the risk management. https://github.com/code-423n4/2023-06-canto/blob/main/Canto/x/coinswap/keeper/swap.go#L212Tools Used
Manual Review
Recommended Mitigation Steps
0.01 ETH should be
sdk.NewIntWithDecimal(1, 16)
Assessed type
Error