User, who decided to send several different tokens in the canto network at the same time and who has canto balance under the threshold, will receive 4 canto for every transaction which satisfies other onboarding conditions (token type, tokens amount), in case these transaction are included in one block. This way the user receives more canto than expects.
Proof of Concept
When OnRecvPacket function is executed it gets user's balance from the state database in the #L89 and checks, if the balance is under the threshold in the #L92. If a user has less canto than the threshold, a part of his tokens will be swapped in 4 canto. But it will be swapped only virtually at this step because the state is not changed at the OnRecvPacket function. If the OnRecvPacket function receives another transaction of the user before state updating, it will again swap a part of the user tokens for canto because the user balance is still less than the threshold. It's very similar to reentrancy but without token stealing.
Tools Used
Manual review.
Recommended Mitigation Steps
In such cases user's transactions should be bunched in one transaction to prevent unexpected influence on the state.
Tools Used
Manual review.
Recommended Mitigation Steps
In such cases user's transactions should be bunched in one transaction to prevent unexpected influence on the state.
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/keeper/ibc_callbacks.go#L89
Vulnerability details
Impact
User, who decided to send several different tokens in the canto network at the same time and who has
canto
balance under the threshold, will receive 4canto
for every transaction which satisfies other onboarding conditions (token type, tokens amount), in case these transaction are included in one block. This way the user receives morecanto
than expects.Proof of Concept
When
OnRecvPacket
function is executed it gets user's balance from the state database in the #L89 and checks, if the balance is under the threshold in the #L92. If a user has lesscanto
than the threshold, a part of his tokens will be swapped in 4canto
. But it will be swapped only virtually at this step because the state is not changed at theOnRecvPacket
function. If theOnRecvPacket
function receives another transaction of the user before state updating, it will again swap a part of the user tokens forcanto
because the user balance is still less than the threshold. It's very similar to reentrancy but without token stealing.Tools Used
Manual review.
Recommended Mitigation Steps
In such cases user's transactions should be bunched in one transaction to prevent unexpected influence on the state.
Tools Used
Manual review.
Recommended Mitigation Steps
In such cases user's transactions should be bunched in one transaction to prevent unexpected influence on the state.
Assessed type
Reentrancy