Open c4-bot-6 opened 3 months ago
The onboarding module only swaps gas (very little) amounts, and it does it only once, so it's not clear how an H/M impact can be caused by this finding.
3docSec changed the severity to QA (Quality Assurance)
3docSec marked the issue as grade-b
Send to blocked address is already handled by IBC transfer module.
Once IBC transfer ack
has error, coinswap logic doesn't initiate and we have test case for that.
https://github.com/code-423n4/2024-05-canto/blob/main/canto-main/x/onboarding/ibc_module_test.go#L175-L191
Lines of code
https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/canto-main/x/coinswap/keeper/msg_server.go#L144 https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/canto-main/x/onboarding/keeper/ibc_callbacks.go#L96
Vulnerability details
Impact
Bypass the blacklist
Proof of Concept
coinswap module
SwapCoin
function to validate the input parameters Then callSwap
function, and then callTradeInputForExactOutput/TradeExactInputForOutput
SwapCoin -> Input verification -> Swap -> TradeInputForExactOutput/TradeExactInputForOutput
However, the onboarding module's
OnRecvPacket
callback function directly calls theTradeInputForExactOutput
function without verifying the input.OnRecvPacket -> TradeInputForExactOutput
In this report let's look at the validation of blockedAddrs:
There is no verification of
Output.Address
inOnRecvPacket
, so an attacker can bypassblockedAddrs
detection using theonboarding
module.Tools Used
vscode, manual
Recommended Mitigation Steps
Assessed type
Invalid Validation