c4-pre-sort
commented
1 year ago JeffCX marked the issue as duplicate of #78
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago JeffCX marked the issue as duplicate of #78
c4-judge
commented
1 year ago 0xean marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-06-canto/blob/main/Canto/x/onboarding/keeper/ibc_callbacks.go#L93
Vulnerability details
Impact
If the
receiverthat is specified in the IBC callback doesn't have enough tokens for interacting with the Canto network (defaults at 4CANTO), then the middleware is going to swap the tokens for someCANTOtokens on the Canto network and convert the rest to theirERC20representation.The issue is that between the time the transaction is signed and that it's executed, the liquidity curve may have moved.
This is how e.g. Uniswap does that for their V2 Router.
If the receiver doesn't have enough
CANTOtoken in his balance to cover transactions when onboarded on Canto, then the tokens that are sent to the middleware are swapped for 4CANTO(as default).As the full balance is sent to the swap, it's quite unsafe for a user to sent an onboarding transaction because they are quite unsure if the price is going to move, and if the
MaxSwapAmountis later set to a higher amount, then an unexpected amount of tokens are going to be spent. There is basically an almost 100% slippage sent as swaps because of this.Because the maximum tokens swapped are worth about 10$ and that the expected 4
CANTOare worth about 0.4$, the slippage is $10 / (10 + 0.4) \approx 0.96$ which is a 96% allowed slippage. ForETH, which is worth about1900$at the time of writing, the slippage is even worse. $19 / (19 + 0.4) \approx 0.98$ so about 98%.Tools Used
Manual inspection
Recommended Mitigation Steps
It would be a reasonable change to add a
deadlineparameter passed as thepacketparameter just to make sure that none of these events occur in the future.Assessed type
Timing