blockedAddrs can bypass #10
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-b
insufficient quality report
This report is not of sufficient quality
Q-11
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_primary
AI based primary recommendation
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/canto-main/x/coinswap/keeper/msg_server.go#L144
https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/canto-main/x/onboarding/keeper/ibc_callbacks.go#L96
Vulnerability details
Impact
Bypass the blacklist
Proof of Concept
coinswap module
SwapCoin
function to validate the input parameters Then callSwap
function, and then callTradeInputForExactOutput/TradeExactInputForOutput
SwapCoin -> Input verification -> Swap -> TradeInputForExactOutput/TradeExactInputForOutput
However, the onboarding module's
OnRecvPacket
callback function directly calls theTradeInputForExactOutput
function without verifying the input.OnRecvPacket -> TradeInputForExactOutput
In this report let's look at the validation of blockedAddrs:
There is no verification of
Output.Address
inOnRecvPacket
, so an attacker can bypassblockedAddrs
detection using theonboarding
module.Tools Used
vscode, manual
Recommended Mitigation Steps
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: