It was written that there a limit for 10 USDC /10 USDT /0.01 ETH, which currently equals to 10 USDT/ 10 USDC/ 18 USDT almost. These limits are for 4 Canto. Which means code accepts the Canto price at max: 2,5 USDC or equavalent. It is also written in the contest page: 'For risk management purposes, a swap will fail if the input coin amount exceeds a pre-defined limit (10 USDC, 10 USDT, 0.01 ETH) or if the swap amount limit is not defined.'
Proof of Concept
When the users lock their funds (USDC/USDT/ETH) at Gravity Bridge, the IBC layer triggers the callback for the swap for the min Canto. However the max threshold for the funds being sent is set to 10 USDC /10 USDT /0.01 ETH. This creates an arbitration opportunity for the users when the price of Canto is at least let's say 2,5 USDC.
E.g. The price of Canto hits 3 USDC. A user sends 10 USDC and swaps 4 Canto on Canto EVM and sends back 4 Canto to Gravity Bridge. This leads to draining the Canto Pool on the Gravity Bridge side.
Tools Used
Manual review
Recommended Mitigation Steps
In addition to those limits there can me more validation steps or limits could be increased according to market conditions. There must be price validations too.
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/main/Canto/x/coinswap/types/params.go#L31-L35
Vulnerability details
Impact
It was written that there a limit for 10 USDC /10 USDT /0.01 ETH, which currently equals to 10 USDT/ 10 USDC/ 18 USDT almost. These limits are for 4 Canto. Which means code accepts the Canto price at max: 2,5 USDC or equavalent. It is also written in the contest page: 'For risk management purposes, a swap will fail if the input coin amount exceeds a pre-defined limit (10 USDC, 10 USDT, 0.01 ETH) or if the swap amount limit is not defined.'
Proof of Concept
When the users lock their funds (USDC/USDT/ETH) at Gravity Bridge, the IBC layer triggers the callback for the swap for the min Canto. However the max threshold for the funds being sent is set to 10 USDC /10 USDT /0.01 ETH. This creates an arbitration opportunity for the users when the price of Canto is at least let's say 2,5 USDC. E.g. The price of Canto hits 3 USDC. A user sends 10 USDC and swaps 4 Canto on Canto EVM and sends back 4 Canto to Gravity Bridge. This leads to draining the Canto Pool on the Gravity Bridge side.
Tools Used
Manual review
Recommended Mitigation Steps
In addition to those limits there can me more validation steps or limits could be increased according to market conditions. There must be price validations too.
Assessed type
Other