Assessment reportsPublic findings
Back to Zellic site
Assessment reports>DojoSwap>Low findings>Final withdraw sends tokens to itself
GeneralOverview
Findings
Critical (1)
High (1)
Low (3)Final withdraw sends tokens to itselfAddress-string comparisonFewer tokens sent than required in migrate_staking
Informational (3)
DiscussionComposability
Threat ModelCrate: dojoswap_stakingCrate: launchpadCrate: dojoswap_pair
Audit ResultsAssessment Results
Category: Coding Mistakes

Final withdraw sends tokens to itself

Low Severity
Low Impact
Low Likelihood

Description

At the end of the final_withdraw, it is stated that the offering is sent to the admin, but it actually sends the final offering to the contract itself instead.

// Transfer offering tokens to admin
if offer_amount > Uint128::zero() {
    messages.push(CosmosMsg::Wasm(WasmMsg::Execute {
        contract_addr: state.offering_token.to_string(),
        msg: to_json_binary(&Cw20ExecuteMsg::Transfer {
            recipient: env.contract.address.to_string(),
            amount: offer_amount,
        })?,
        funds: vec![],
    }));
}

Impact

The raised offering tokens are not sent to the correct destination.

Recommendations

Ensure the offering tokens are sent to the correct destination.

Remediation

This issue has been acknowledged by Dojoswap Labs, PTE, and a fix was implemented in commit ce55f60d.

The relevant section of the patch is:

         messages.push(CosmosMsg::Wasm(WasmMsg::Execute {
             contract_addr: state.offering_token.to_string(),
             msg: to_json_binary(&Cw20ExecuteMsg::Transfer {
-                recipient: env.contract.address.to_string(),
+                recipient: info.sender.to_string(),
                 amount: offer_amount,
             })?,
             funds: vec![],
Zellic © 2024Back to top ↑