validateAutoSwapThreshold function has a problem that does not check the AutoSwapThreshold field is less than or equal to the MaxAutoSwapThreshold constant, this can caused that a malicious user could set the AutoSwapThreshold field to a value that is greater than the MaxAutoSwapThreshold constant so this can lead to unexpected behavior from an users with malicious acting and this can caused to swap a large amount of tokens automatically, this allow the malicious user to gain unauthorized access to the system, modify or delete data, or disrupt the operation of the system.
Proof of Concept
A malicious user would need to find the code with the bug. This could be done by looking for code that does not check that the AutoSwapThreshold field is less than or equal to the MaxAutoSwapThreshold constant.
The malicious user would need to set the AutoSwapThreshold field to a value that is greater than the MaxAutoSwapThreshold constant. This could be done by sending a request to the server with the AutoSwapThreshold field set to a value that is greater than the MaxAutoSwapThreshold constant.
The server would then validate the AutoSwapThreshold field. However, because the validateAutoSwapThreshold function does not check that the AutoSwapThreshold field is less than or equal to the MaxAutoSwapThreshold constant, the server would allow the malicious user to set the AutoSwapThreshold field to a value that is greater than the MaxAutoSwapThreshold constant.
The malicious user would then be able to swap a large amount of tokens automatically. This could be done by sending a request to the server with the AutoSwapThreshold field set to a value that is greater than the MaxAutoSwapThreshold constant.
Tools Used
Manuel review
vs code
Recommended Mitigation Steps
the validateAutoSwapThreshold function should be updated to check that the AutoSwapThreshold field is less than or equal to the MaxAutoSwapThreshold constant.
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/types/params.go#L75
Vulnerability details
Impact
validateAutoSwapThreshold function has a problem that does not check the AutoSwapThreshold field is less than or equal to the MaxAutoSwapThreshold constant, this can caused that a malicious user could set the AutoSwapThreshold field to a value that is greater than the MaxAutoSwapThreshold constant so this can lead to unexpected behavior from an users with malicious acting and this can caused to swap a large amount of tokens automatically, this allow the malicious user to gain unauthorized access to the system, modify or delete data, or disrupt the operation of the system.
Proof of Concept
Tools Used
Manuel review vs code
Recommended Mitigation Steps
the validateAutoSwapThreshold function should be updated to check that the AutoSwapThreshold field is less than or equal to the MaxAutoSwapThreshold constant.
Assessed type
Other