Platform: Code4rena
Start Date: 20/06/2023
Pot Size: $36,500 USDC
Total HM: 2
Participants: 23
Period: 3 days
Judge: 0xean
Id: 252
League: ETH
Rank: 3/23
Findings: 2
Award: $3,407.64
🌟 Selected for report: 0
🚀 Solo Findings: 0
3388.2784 USDC - $3,388.28
In the "coinswap" module a limit is in place for avoiding large swaps and their potential to manipulate the price in a low-liquidity scenario.
The spec says:
For risk management purposes, a swap will fail if the input coin amount exceeds a pre-defined limit (10 USDC, 10 USDT, 0.01 ETH) or if the swap amount limit is not defined.
The limit as stated in the spec is of $10~15 which is about 1% of the maximum liquidity allowed in CANTO (10,000 canto ~= $1,000). However, the ETH/Canto pool has a 0.1ETH ~= $150 swap limit that is 15x higher. This discrepancy, with the "0.01" mention in the spec, gives high confidence that the value in the code is not the intended one, and is an off-by-one error.
The following failing test case would pass if the amounts respected the spec:
package types import ( "github.com/stretchr/testify/assert" "testing" ) func TestDefaultParams(t *testing.T) { // 10 USDC (10 + 6 zeros) assert.Equal(t, 8, len(DefaultMaxSwapAmount.AmountOfNoDenomValidation(UsdcIBCDenom).String())) // 10 USDT (10 + 6 zeros) assert.Equal(t, 8, len(DefaultMaxSwapAmount.AmountOfNoDenomValidation(UsdcIBCDenom).String())) // 0.01 ETH (1 + (18-2=) 16 zeros) assert.Equal(t, 17, len(DefaultMaxSwapAmount.AmountOfNoDenomValidation(EthIBCDenom).String())) }
Visual inspection
Change params.go#L34 line to
sdk.NewCoin(EthIBCDenom, sdk.NewIntWithDecimal(1, 16)),
Decimal
#0 - c4-pre-sort
2023-06-24T12:12:07Z
JeffCX marked the issue as primary issue
#1 - JeffCX
2023-06-24T13:59:58Z
The report highlights a misconfiguration, the setting for ETH limit is 0.01 ETH while the current setting is 0.1 ETH, I believe the report worth sponsor's review
#2 - tkkwon1998
2023-06-28T16:04:26Z
Agreed, this issue is valid as limit is 10x higher than it should be. Although losses are still minimal (0.1 eth at most), I agree with high risk since funds can be lost if pools are manipulated.
#3 - c4-sponsor
2023-06-28T16:04:32Z
tkkwon1998 marked the issue as sponsor confirmed
#4 - c4-judge
2023-06-30T20:41:57Z
0xean marked the issue as satisfactory
#5 - c4-judge
2023-07-03T21:08:23Z
0xean marked issue #36 as primary and marked this issue as a duplicate of 36
19.3584 USDC - $19.36
the swap limit MaxSwapAmount is easily circumvented: one could chain multiple types.MsgSwapOrder in the same transaction and achieve atomically the same result as swapping a larger amount with a single message
x/onboarding/keeper/ibc_callbacks.go function OnRecvPacket:
#0 - c4-judge
2023-07-02T01:27:41Z
0xean marked the issue as grade-c
#1 - c4-judge
2023-07-02T13:21:44Z
0xean marked the issue as grade-b