c4-pre-sort
commented
1 year ago JeffCX marked the issue as primary issue
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago JeffCX marked the issue as primary issue
c4-pre-sort
commented
1 year ago JeffCX marked the issue as low quality report
c4-judge
commented
1 year ago 0xean changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago 0xean marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/keeper/ibc_callbacks.go#L28
Vulnerability details
Impact
When a user transfer assets to a contract address on the Canto network through Gravity Bridge, the Cantos converted by Onboarding are likely to be frozen in the contract, resulting in the loss of the user's assets.
Proof of Concept
The Onboarding middleware automatically converts a portion of other assets to Canto and sends them to the target address when users transfer assets to the Canto network through Gravity Bridge.
The purpose of this is to provide gas fees for the target addresses without Canto, but in most cases only EOA accounts need to pay gas fees, not contract addresses.
At the same time, smart contracts need to implement an external for Canto extraction in order to withdraw Canto assets sent to them, which most contracts do not implement.
So if a user transfer assets to a contracted address through Gravity Bridge, the onboarding middleware will convert some of them to Canto and deposits them to the target contract on Canto network. Finally, it is likely that the Canto will be frozen in the target contract forever because the contract does not support withdrawals for Canto.
Tools Used
VS Code
Recommended Mitigation Steps
We should disable Onboarding from supporting contract addresses, just like we do with module accounts in ibc_callbacks/Keeper.OnRecvPacket()
Assessed type
Other