Open code423n4 opened 1 year ago
JeffCX marked the issue as low quality report
JeffCX marked the issue as duplicate of #80
JeffCX marked the issue as high quality report
0xean marked the issue as satisfactory
0xean marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/main/Canto/x/onboarding/keeper/ibc_callbacks.go#L93-L96 https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/keeper/ibc_callbacks.go#L124
Vulnerability details
Impact
In case the swap operation failed, the module should continue as is with the erc20 conversion and finish the IBC transfer. This is the relevant part of the code that swallows the error:
Notice that in case of an error,
swappedAmount
will still be written to. Later on in the code, it is used to calculate the conversion amount:The
swappedAmount
is trusted to have a zero value in this case. While this is currently true in the existing code, variables returned in error states should not be trusted and should be overwritten. Currently all error states returnsdk.ZeroInt()
unless the swap was executed correctly, but it might change in a future PR.Proof of Concept
Run this patch, it will cause TradeInputForExactOutput to always error with a swappedAmount > 0 .
@@ -160,51 +161,8 @@ Buy exact amount of a token by specifying the max amount of another token, one o @param receipt : address of the receiver @return : actual amount of the token to be paid */ -func (k Keeper) TradeInputForExactOutput(ctx sdk.Context, input types.Input, output types.Output) (sdk.Int, error) {
x/onboarding/keeper/ibc_callbacks_test.go
:The test will still fail because of another unimportant check, but the important check will pass - the address will have
sent-swappedAmount
vouchers converted, and the rest will be kept. It means swappedAmount was used even though the swap function failed.Tools Used
IDE.
Recommended Mitigation Steps
Zero the
swappedAmount
variable in the error case:Assessed type
Other