Category: Coding Mistakes
Deposit amount is not validated against message funds
Critical Severity
Critical Impact
High Likelihood
Description
In the launchpad contract's deposit
function, ExecuteMsg::Deposit
's amount
field is not validated against the amount of funds actually sent by the message.
Impact
Depositors can specify arbitrarily large amounts, obtaining an arbitrarily large fraction of the offering_token
.
Recommendations
Validate the amount
field against the message info's fund's amount
.
if info.funds.len() != 1 || info.funds[0].denom != state.raising_denom {
return Err(StdError::generic_err("Wrong denom"));
}
+ if info.funds[0].amount != amount {
+ return Err(StdError::generic_err("Wrong amount"));
+ }
Remediation
This issue has been acknowledged by Dojoswap Labs, PTE, and a fix was implemented in commit ce55f60d↗.