Need Error Handling for SendCoinsFromAccountToModule Function #8
Comments
|
You can use this to check your own code for this series of problems |
|
Yeah. Exactly.
…---Original---
From: ***@***.***>
Date: Mon, Mar 6, 2023 22:51 PM
To: ***@***.***>;
Cc: ***@***.******@***.***>;
Subject: [ibcswap/ibcswap] Need Error Handling forSendCoinsFromAccountToModule Function (Issue #8)
From : ***@***.***
@liangping
Description
In the following code content, the error handling of x.bankKeeper.SendCoins is missing, which will result in a malicious user being able to set the status without cost.
//lock swap-in token to the swap module escrowAddr := types.GetEscrowAddress(pool.EncounterPartyPort, pool.EncounterPartyChannel) k.bankKeeper.SendCoinsFromAccountToModule(ctx, sdk.MustAccAddressFromBech32(msg.Sender), escrowAddr.String(), sdk.NewCoins(*msg.TokenIn)) //constructs the IBC data packet rawMsgData, err := json.Marshal(msg) if err != nil { return nil, err }
Related-Code
REF
REF
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Credit to : HelloBloc
@liangping
Description
In the following code content, the error handling of
x.bankKeeper.SendCoinsis missing, which will result in a malicioususerbeing able to set the status without cost.Impact
This results in users being able to successfully swap without having a sufficient balance.
Likelihood
This attack can be done by any user who does not have sufficient balance.
Related links
Related-Code
REF
REF
Ethics
Sorry for using github to report this vul, as I didn't find your security channle and all the effective ways to report it at that time. However, I have observed that your main-net was not online at that time, so reported the issue via github. Hope you don't mind.
The text was updated successfully, but these errors were encountered: