JeffCX
commented
1 year ago There is no MaxAutoSwapThreshold constant
Closed code423n4 closed 1 year ago
JeffCX
commented
1 year ago There is no MaxAutoSwapThreshold constant
c4-pre-sort
commented
1 year ago JeffCX marked the issue as low quality report
c4-judge
commented
1 year ago 0xean marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/types/params.go#L75
Vulnerability details
Impact
validateAutoSwapThreshold function has a problem that does not check the AutoSwapThreshold field is less than or equal to the MaxAutoSwapThreshold constant, this can caused that a malicious user could set the AutoSwapThreshold field to a value that is greater than the MaxAutoSwapThreshold constant so this can lead to unexpected behavior from an users with malicious acting and this can caused to swap a large amount of tokens automatically, this allow the malicious user to gain unauthorized access to the system, modify or delete data, or disrupt the operation of the system.
Proof of Concept
Tools Used
Manuel review vs code
Recommended Mitigation Steps
the validateAutoSwapThreshold function should be updated to check that the AutoSwapThreshold field is less than or equal to the MaxAutoSwapThreshold constant.
Assessed type
Other