Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-06-CANTO-FINDINGS-ISSUES-88
HistoryJun 23, 2023 - 12:00 a.m.

Canto pool could be drained.

2023-06-2300:00:00
Code4rena
github.com
7
canto pool
drained
vulnerability
code
swap
funds
limits
arbitration
gravity bridge
exploitation
manual review
mitigation
validation
price checks
market conditions
JSON

Lines of code

Vulnerability details

Impact

It was written that there a limit for 10 USDC /10 USDT /0.01 ETH, which currently equals to 10 USDT/ 10 USDC/ 18 USDT almost. These limits are for 4 Canto. Which means code accepts the Canto price at max: 2,5 USDC or equavalent. It is also written in the contest page: β€˜For risk management purposes, a swap will fail if the input coin amount exceeds a pre-defined limit (10 USDC, 10 USDT, 0.01 ETH) or if the swap amount limit is not defined.’

Proof of Concept

When the users lock their funds (USDC/USDT/ETH) at Gravity Bridge, the IBC layer triggers the callback for the swap for the min Canto. However the max threshold for the funds being sent is set to 10 USDC /10 USDT /0.01 ETH. This creates an arbitration opportunity for the users when the price of Canto is at least let’s say 2,5 USDC.
E.g. The price of Canto hits 3 USDC. A user sends 10 USDC and swaps 4 Canto on Canto EVM and sends back 4 Canto to Gravity Bridge. This leads to draining the Canto Pool on the Gravity Bridge side.

Tools Used

Manual review

Recommended Mitigation Steps

In addition to those limits there can me more validation steps or limits could be increased according to market conditions. There must be price validations too.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

JSON