Closed code423n4 closed 1 year ago
JeffCX marked the issue as low quality report
this function will fail because can't swap 0.3 USDC to 4 Canto.
given the CANTO price is 0.1 USD,
the report describes a expected behavior
0xean marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/keeper/ibc_callbacks.go#L92-L108
Vulnerability details
Impact
The Swap action will always fail if the value of the deposited IBC asset < the value of autoSwapThreshold Canto. This is not a bug, but it's very inconvenient for users and makes the goal of the onboarding module fail.
Let's asssume that: 1 Canto = 0.1 USDC, autoSwapThreshold = 4 Canto (value at ~0.4 USDC), Canto balance of this User = 0 User flow:
Proof of Concept
Permalink
Tools Used
VSCode
Recommended Mitigation Steps
The team might consider using TradeExactInputForOutput() with transferredCoin as the exact input params in case the value of transferredCoin IBC assets < the value of autoSwapThreshold Canto to mitigate this inconvenience for the User. Still using TradeInputForExactOutput() with autoSwapThreshold as the exact output params in the remaining case.
Assessed type
Other