Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MsgSwapOrder will never work for Canto nodes #27

Open
howlbot-integration bot opened this issue Jun 21, 2024 · 7 comments · Fixed by b-harvest/Canto#62
Open

MsgSwapOrder will never work for Canto nodes #27

howlbot-integration bot opened this issue Jun 21, 2024 · 7 comments · Fixed by b-harvest/Canto#62
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working edited-by-warden M-02 primary issue Highest quality submission among a set of duplicates 🤖_12_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/canto-main/proto/canto/coinswap/v1/tx.proto#L96-L104

Vulnerability details

Impact

MsgSwapOrder will never work for Canto nodes

Proof of Concept

An oversight in the MsgSwapOrder where the tag is directed to nested Input message lacks the necessary cosmos.msg.v1.signer to indirectly identify the signer

message Input {
  string address = 1;
  cosmos.base.v1beta1.Coin coin = 2 [ (gogoproto.nullable) = false ];
}

Tools Used

Eyes

Recommended Mitigation Steps

Add DefineCustomGetSigners call in app.go for the coinswap Input message like u did for MsgConvertERC20

https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/canto-main/app/app.go#L316

signingOptions.DefineCustomGetSigners(protov2.MessageName(&erc20v1.MsgConvertERC20{}), erc20types.GetSignersFromMsgConvertERC20V2)

Assessed type

Other
@howlbot-integration howlbot-integration bot added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value 🤖_12_group AI based duplicate group recommendation bug Something isn't working duplicate-4 edited-by-warden sufficient quality report This report is of sufficient quality labels Jun 21, 2024
howlbot-integration bot added a commit that referenced this issue Jun 21, 2024
@howlbot-integration
0x1771 issue #27
2df5a26
@C4-Staff C4-Staff reopened this Jun 26, 2024
@C4-Staff
Copy link

CloudEllie marked the issue as not a duplicate

@C4-Staff
Copy link

CloudEllie marked the issue as primary issue

@C4-Staff C4-Staff added the primary issue Highest quality submission among a set of duplicates label Jun 26, 2024
@C4-Staff C4-Staff mentioned this issue Jun 26, 2024
Closed
@poorphd poorphd added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jun 27, 2024
@poorphd
Copy link

poorphd commented Jun 27, 2024

  • Label
    • sponsor confirmed
  • Reasoning
    • The liquidity pools used for onboarding are directly called by the keeper method in the IBC middleware, so there is no problem with the onboarding function because the swap occurs. However, since only the swap from the ibc voucher to canto takes place, if there is a price discrepancy, a mechanism is needed for the arbitrager to return to the appropriate price through MsgSwapOrder.
  • Severity
    • MidQA
    • In order to abuse this for price manipulation, it is necessary to repeatedly make auto-swaps through IBC transfers, but the auto-swap function only works when the balance of canto is less than 4, making it difficult to manipulate prices. This issue is valid, but since it is not an issue that opposes the real risk of assets, the severity should be adjusted from Mid to QA.
  • Patch
    • We will patch this before the v0.50 production release

@3docSec
Copy link

3docSec commented Jun 27, 2024

As the sponsor said, the effect of this vulnerability is that the pools' price drifts won't be balanced by a necessary arbitraging force which is required for the swap to meet the slippage / maxSwapAmount check, hence impacting the availability of the Onboarding functionality. For this reason, I find M an appropriate severity for this finding.

@c4-judge
Copy link

3docSec marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jun 27, 2024
@c4-judge
Copy link

3docSec marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Jun 27, 2024
@poorphd poorphd mentioned this issue Jul 3, 2024
Merged
10 tasks
@C4-Staff C4-Staff added the M-02 label Jul 9, 2024
@c4-sponsor c4-sponsor reopened this Jul 17, 2024
@c4-sponsor
Copy link

@poorphd Sponsors are not allowed to close, reopen, or assign issues or pull requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working edited-by-warden M-02 primary issue Highest quality submission among a set of duplicates 🤖_12_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor: CustomGetSigners for MsgSwapOrder b-harvest/Canto
5 participants
@c4-judge @c4-sponsor @C4-Staff @poorphd @3docSec