User with canto balance under the treshold will receive 4 `canto` for every transaction wich will be included in a block

[code423n4]

Lines of code

https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/onboarding/keeper/ibc_callbacks.go#L89

Vulnerability details

Impact

User, who decided to send several different tokens in the canto network at the same time and who has canto balance under the threshold, will receive 4 canto for every transaction which satisfies other onboarding conditions (token type, tokens amount), in case these transaction are included in one block. This way the user receives more canto than expects.

Proof of Concept

When OnRecvPacket function is executed it gets user's balance from the state database in the #L89 and checks, if the balance is under the threshold in the #L92. If a user has less canto than the threshold, a part of his tokens will be swapped in 4 canto. But it will be swapped only virtually at this step because the state is not changed at the OnRecvPacket function. If the OnRecvPacket function receives another transaction of the user before state updating, it will again swap a part of the user tokens for canto because the user balance is still less than the threshold. It's very similar to reentrancy but without token stealing.

Tools Used

Manual review.

Recommended Mitigation Steps

In such cases user's transactions should be bunched in one transaction to prevent unexpected influence on the state.

Tools Used

Manual review.

Recommended Mitigation Steps

In such cases user's transactions should be bunched in one transaction to prevent unexpected influence on the state.

Assessed type

Reentrancy

[c4-pre-sort]

JeffCX marked the issue as low quality report

[JeffCX]

This is not solidity code, no reentrancy

[c4-judge]

0xean marked the issue as unsatisfactory: Insufficient quality