Closed code423n4 closed 1 year ago
JeffCX marked the issue as primary issue
The "source channel" and "destination channel" labels are slight misnomers from IBC itself, which leads to a lot of confusion. The destination channel just means the channel on the receiving chain. That is the channel that is used to both receive and send IBC packets to another channel.
A better way to think about this would just to call it "gravity-bridge-channel", because all assets coming from Gravity Bridge will go through this channel, and all assets sent to Gravity Bridge will also go through this same channel.
tkkwon1998 marked the issue as sponsor disputed
@tkkwon1998 - thanks for the response here, do you have any docs that I could take a look at to verify this before I close it?
@0xean here's docs for IBC that go over channels: https://docs.cosmos.network/v0.45/ibc/overview.html
Closing as invalid. none of the wardens submitted sufficient proof of there findings. From all of the documentation (which isn't great) the implementation does seems to be correct.
0xean marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/main/Canto/x/onboarding/keeper/ibc_callbacks.go#L44-L50
Vulnerability details
Impact
In the
ibc_callbacks.OnRecvPacket
function, theSource Channel
of the transferred packet is required to be checked against theWhitelistedChannels
of the module. If theSource Channel
of the packet is not in theWhitelistedChannels
list then the auto swap and convert will not be triggered.The following code snippet executes this logic in the
ibc_callbacks.OnRecvPacket
function.But the issue here is that the
Desitnation Channel
packet.DestinationChannel
is checked here against the values of theWhitelistedChannels
.Hence if the
Destination Channel
of theCanto
blockchain module is whitelisted in theWhitelistedChannels
list then every token transfer coming from anySource Channel
will be eligible for the auto swap and convert.Hence the purpose of
Whitelisting
Source Channels
is not properly implemented here. Thus the implementation of the logic is not in line with the protocol design requirement.Proof of Concept
https://github.com/code-423n4/2023-06-canto/blob/main/Canto/x/onboarding/keeper/ibc_callbacks.go#L44-L50
Tools Used
VSCode and Manual Review
Recommended Mitigation Steps
It is recommended to check the
packet.SourceChannel
against theWhitelistedChannels
as shown in the modified code snippet below:Assessed type
Other