Assessment reportsPublic findings
Back to Zellic site
Assessment reports>DojoSwap>Low findings>Address-string comparison
GeneralOverview
Findings
Critical (1)
High (1)
Low (3)Final withdraw sends tokens to itselfAddress-string comparisonFewer tokens sent than required in migrate_staking
Informational (3)
DiscussionComposability
Threat ModelCrate: dojoswap_stakingCrate: launchpadCrate: dojoswap_pair
Audit ResultsAssessment Results
Category: Coding Mistakes

Address-string comparison

Low Severity
Low Impact
Low Likelihood

Description

Addresses are compared using string comparisons. In CosmWasm, there are two valid representations of addresses, uppercase and lowercase addresses. The sender may be the correct authorized address; however, the comparison may fail.

// Check if the sender is the admin
if info.sender.to_string() != state.admin {
    return Err(StdError::generic_err("Unauthorized: not admin"));
}

Impact

The correct authorized sender may not be allowed, and the transaction may revert.

Recommendations

Use the correct canonicalized representation of the addresses.

Remediation

This was remediated in commit 5e6ce5b5 by comparing the canonicalized version of the addresses.

Zellic © 2024Back to top ↑