When a user transfer assets to a contract address on the Canto network through Gravity Bridge, the Cantos converted by Onboarding are likely to be frozen in the contract, resulting in the loss of the user's assets.
Proof of Concept
The Onboarding middleware automatically converts a portion of other assets to Canto and sends them to the target address when users transfer assets to the Canto network through Gravity Bridge.
The purpose of this is to provide gas fees for the target addresses without Canto, but in most cases only EOA accounts need to pay gas fees, not contract addresses.
At the same time, smart contracts need to implement an external for Canto extraction in order to withdraw Canto assets sent to them, which most contracts do not implement.
So if a user transfer assets to a contracted address through Gravity Bridge, the onboarding middleware will convert some of them to Canto and deposits them to the target contract on Canto network.
Finally, it is likely that the Canto will be frozen in the target contract forever because the contract does not support withdrawals for Canto.
Tools Used
VS Code
Recommended Mitigation Steps
We should disable Onboarding from supporting contract addresses, just like we do with module accounts in ibc_callbacks/Keeper.OnRecvPacket()
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/keeper/ibc_callbacks.go#L28
Vulnerability details
Impact
When a user transfer assets to a contract address on the Canto network through Gravity Bridge, the Cantos converted by Onboarding are likely to be frozen in the contract, resulting in the loss of the user's assets.
Proof of Concept
The Onboarding middleware automatically converts a portion of other assets to Canto and sends them to the target address when users transfer assets to the Canto network through Gravity Bridge.
The purpose of this is to provide gas fees for the target addresses without Canto, but in most cases only EOA accounts need to pay gas fees, not contract addresses.
At the same time, smart contracts need to implement an external for Canto extraction in order to withdraw Canto assets sent to them, which most contracts do not implement.
So if a user transfer assets to a contracted address through Gravity Bridge, the onboarding middleware will convert some of them to Canto and deposits them to the target contract on Canto network. Finally, it is likely that the Canto will be frozen in the target contract forever because the contract does not support withdrawals for Canto.
Tools Used
VS Code
Recommended Mitigation Steps
We should disable Onboarding from supporting contract addresses, just like we do with module accounts in ibc_callbacks/Keeper.OnRecvPacket()
Assessed type
Other