The function swapCoins does check that SendCoins does receive them correctly here but not when sending them to the user here
Proof of Concept
If there is an error returning the swapped coins to the user, they will remain locked. There is no history of swaps which could be used to retrieve the lost funds, so there is no way to take them back upon an error.
Tools Used
Manual analysis
Recommended Mitigation Steps
Follow the same approach as in receiving the coins (the if-err-nill and all of that)
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/coinswap/keeper/swap.go#L26
Vulnerability details
Impact
The function
swapCoins
does check thatSendCoins
does receive them correctly here but not when sending them to the user hereProof of Concept
If there is an error returning the swapped coins to the user, they will remain locked. There is no history of swaps which could be used to retrieve the lost funds, so there is no way to take them back upon an error.
Tools Used
Manual analysis
Recommended Mitigation Steps
Follow the same approach as in receiving the coins (the if-err-nill and all of that)
Assessed type
Token-Transfer