search

code-423n4 / 2023-06-canto-findings

1 stars 0 forks source link

Lack of deep validation #51

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/types/params.go#L58 https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/types/params.go#L76

Vulnerability details

Impact

The validate functions are just checking the parameters type without checking any further information

Proof of Concept

They are just trying to cast the value with i.(TYPE) and check if there is an error. There is no further validations (e. g. validateAutoSwapThreshold is just checking the parameter is an sdk.Int and it is >= 0 (it could be 0, IDK if it is intentional or a flaw))

Tools Used

Manual analysis

Recommended Mitigation Steps

Do the neccessary checks or rename the functions to checkString and checkInt like here

Assessed type

Invalid Validation

c4-pre-sort commented 1 year ago

JeffCX marked the issue as low quality report

JeffCX commented 1 year ago

They are just trying to cast the value with i.(TYPE) and check if there is an error. There is no further validations (e. g. validateAutoSwapThreshold is just checking the parameter is an sdk.Int and it is >= 0 (it could be 0, IDK if it is intentional or a flaw))

yes, the threshold can be set to 0, which is a expected admin configuration to disable swap, don't think this is a vulnerability

c4-judge commented 1 year ago

0xean marked the issue as unsatisfactory: Insufficient quality