Closed code423n4 closed 1 year ago
JeffCX marked the issue as primary issue
Our docs should've been more clear. The deposits to the pool fail if the number of canto exceeds 10,000. Swaps can still be made even if it increases the canto reserves to above 10,000. There cannot be a hard cap for reserves in an AMM, because then you would be limiting price movement.
tkkwon1998 marked the issue as sponsor acknowledged
This sounds like a case of code not meeting the spec or vise versa, QA base on c4 guidelines.
0xean changed the severity to QA (Quality Assurance)
0xean marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/coinswap/keeper/swap.go#L72-L115 https://github.com/code-423n4/2023-06-canto/blob/a4ff2fd2e67e77e36528fad99f9d88149a5e8532/Canto/x/coinswap/keeper/swap.go#L163-L208
Vulnerability details
Impact
As for the business logic, it is expected that the number of Canto tokens in each pool should not exceed the predefined limit, which is specified as
MaxStandardCoinPerPool
. However, the current implementation in the source code does not enforce control over the amount of Canto tokens in the pools. This will have an unexpected impact on the value of the Canto token.Proof of Concept
Assume that currently Bob has funds on Canto Network. There is a pool CANTO/BTC with reserves
10000000000 CANTO
and10000000000 BTC
. Bob performs a swap action, exchanging exactly10 CANTO
forBTC
. With theMaxStandardCoinPerPool
is10000000005
, the transaction is still successful and Bob receives9 BTC
.Unit test:
Log of the test:
Recommended Mitigation Steps
Add logic to functions
TradeExactInputForOutput
andTradeInputForExactOutput
to check if standard denomination amount exceeds the limit.Function
TradeExactInputForOutput
:Function
TradeInputForExactOutput
:Assessed type
Other