Closed code423n4 closed 1 year ago
JeffCX marked the issue as primary issue
There is no need for a deadline, as the swap will either be successful or fail at the time it is called. There's no mempool like Ethereum where TXs can sit in limbo.
tkkwon1998 marked the issue as sponsor disputed
0xean marked the issue as unsatisfactory: Insufficient quality
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/keeper/ibc_callbacks.go#L93-L107
Vulnerability details
Impact
Deadline is not checked. The transaction may stay unexecuted for a long time, resulting in unfavourable trade when the transaction is finally executed.
Proof of Concept
The function
OnRecvPacket
is used to help users outside of Canto onboard seamlessly. The module automatically swaps a portion of the assets being transferred to Canto network via IBC transfer for Canto if the user has less than 4 Canto without the need for a manual process, and converts the remaining assets to ERC20 tokens on Canto.When converting the tokens to Canto,
TradeInputForExactOutput
is called in swap.go, which callscalculateWithExactOutput
. There is no deadline check when swapping the positions through the pool.Deadline check is important to maintain favourable trades. For example, if Canto is worth $1 at the moment of the swap and the transaction only executes when Canto reaches $2, then the user has to pay $8 instead of $4 to get their token amounts into the Canto network.
Tools Used
Manual Review
Recommended Mitigation Steps
Recommending setting a deadline parameter in the swap function so that the swap will be declined if too much time has passed without any successful transaction execution.
Assessed type
Other