3docSec
commented
2 months ago The onboarding module only swaps gas (very little) amounts, and it does it only once, so it's not clear how an H/M impact can be caused by this finding.
Open c4-bot-6 opened 3 months ago
3docSec
commented
2 months ago The onboarding module only swaps gas (very little) amounts, and it does it only once, so it's not clear how an H/M impact can be caused by this finding.
c4-judge
commented
2 months ago 3docSec changed the severity to QA (Quality Assurance)
c4-judge
commented
2 months ago 3docSec marked the issue as grade-b
poorphd
commented
2 months ago Send to blocked address is already handled by IBC transfer module.
Once IBC transfer ack has error, coinswap logic doesn't initiate and we have test case for that.
https://github.com/code-423n4/2024-05-canto/blob/main/canto-main/x/onboarding/ibc_module_test.go#L175-L191
Lines of code
https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/canto-main/x/coinswap/keeper/msg_server.go#L144 https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/canto-main/x/onboarding/keeper/ibc_callbacks.go#L96
Vulnerability details
Impact
Bypass the blacklist
Proof of Concept
coinswap module
SwapCoinfunction to validate the input parameters Then callSwapfunction, and then callTradeInputForExactOutput/TradeExactInputForOutputSwapCoin -> Input verification -> Swap -> TradeInputForExactOutput/TradeExactInputForOutput
However, the onboarding module's
OnRecvPacketcallback function directly calls theTradeInputForExactOutputfunction without verifying the input.OnRecvPacket -> TradeInputForExactOutput
In this report let's look at the validation of blockedAddrs:
There is no verification of
Output.AddressinOnRecvPacket, so an attacker can bypassblockedAddrsdetection using theonboardingmodule.Tools Used
vscode, manual
Recommended Mitigation Steps
Assessed type
Invalid Validation