Closed code423n4 closed 1 year ago
JeffCX marked the issue as low quality report
After "unmarshaling" the packet, which checks if there is an error, it is used right away without further checking the fields inside it, thus an attacker could send arbitrary values and trick the L1 into undefined behaviour (I didn't go any further)
insufficient detail, marked as low quality report because the warden does not go any further
0xean marked the issue as unsatisfactory: Insufficient quality
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/keeper/ibc_callbacks.go#L72 https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/keeper/ibc_callbacks.go#L84
Vulnerability details
Impact
There is no input sanitizer implemented for the
transfertypes.FungibleTokenPacketData data
variable.Proof of Concept
After "unmarshaling" the packet, which checks if there is an error, it is used right away without further checking the fields inside it, thus an attacker could send arbitrary values and trick the L1 into undefined behaviour (I didn't go any further)
Tools Used
Manual analysis
Recommended Mitigation Steps
Check the fields inside
data
to be the correct onesAssessed type
Invalid Validation