Assessment reports>DojoSwap>Critical findings>Deposit amount is not validated against message funds
Category: Coding Mistakes

Deposit amount is not validated against message funds

Critical Severity
Critical Impact
High Likelihood

Description

In the launchpad contract's deposit function, ExecuteMsg::Deposit's amount field is not validated against the amount of funds actually sent by the message.

Impact

Depositors can specify arbitrarily large amounts, obtaining an arbitrarily large fraction of the offering_token.

Recommendations

Validate the amount field against the message info's fund's amount.

     if info.funds.len() != 1 || info.funds[0].denom != state.raising_denom {
         return Err(StdError::generic_err("Wrong denom"));
     }

+    if info.funds[0].amount != amount {
+        return Err(StdError::generic_err("Wrong amount"));
+    }

Remediation

This issue has been acknowledged by Dojoswap Labs, PTE, and a fix was implemented in commit ce55f60d.

Zellic © 2024Back to top ↑