Platform: Code4rena
Start Date: 20/06/2023
Pot Size: $36,500 USDC
Total HM: 2
Participants: 23
Period: 3 days
Judge: 0xean
Id: 252
League: ETH
Rank: 2/23
Findings: 2
Award: $3,562.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
3388.2784 USDC - $3,388.28
https://github.com/code-423n4/2023-06-canto/blob/main/Canto/x/coinswap/types/params.go#L34
There is an error in the code regarding the maximum a user can spend for the 4 Canto swap to minimize risk of slippage. While the documentation claim it to be 0.01 ETH, in the code it is defined as 0.1 ETH, which is a 10x value increase and significant.
While this file is not in scope, it seems an important miss and should be considered for the bounty contest and I would class it as Medium as could harm user fund if exploited.
The team understand the problem regarding slippage, which is why they impose those maximum limit, so I don't feel I need to make any proof of concept here. The main idea being that the pool is very low in liquidity and the swap could cost much more then it should for the 4 Canto token.
Code examimation
Apply the fix
sdk.NewCoin(EthIBCDenom, sdk.NewIntWithDecimal(1, 16)), // to represent 0.01 ETH
Besides, having those maximum while it helps to reduce the slippage risk issue, it also put a constraint on the maximum price Canto could go for the swap functionality to continue working during the onboarding process. For example, if the canto real price goes above 3 USD, the swap would stop working as a whole for stablecoin deposits (capped at 10 USD, 4 X 3 USD == 12 USD), which is not ideal either, but ok to get started. I would recommend the team to think of a solution that is more future proof.
Math
#0 - c4-pre-sort
2023-06-24T12:15:00Z
JeffCX marked the issue as duplicate of #8
#1 - c4-judge
2023-07-03T20:49:48Z
0xean marked the issue as satisfactory
#2 - c4-judge
2023-07-03T20:50:20Z
0xean changed the severity to 3 (High Risk)