search

code-423n4 / 2023-06-canto-findings

1 stars 0 forks source link

Lack of checks for reserve being zero #60

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/coinswap/keeper/swap.go#L48-L59 https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/coinswap/keeper/swap.go#L139-L150

Vulnerability details

Impact

The function calculateWithExactInput and calculateWithExactOutput go on with their execution even if the reserves are 0

Proof of Concept

The functions do check for reserves not being negative. However, they do not check if they are 0, thus continuing with the execution and doing the maths with 0's around (there is a k/0 which could revert the execution)

Tools Used

Manual analysis

Recommended Mitigation Steps

Add a check for reserves being 0 like you did with the negative values with if !inputReserve.IsPositive() and if !outputReserve.IsPositive()

Assessed type

Invalid Validation

c4-pre-sort commented 1 year ago

JeffCX marked the issue as low quality report

JeffCX commented 1 year ago

input validation with edge case and lack of impact

c4-judge commented 1 year ago

0xean changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

0xean marked the issue as grade-c