Need Error Handling for SendCoinsFromAccountToModule Function #8
Description
Credit to : HelloBloc
Description
In the following code content, the error handling of x.bankKeeper.SendCoins is missing, which will result in a malicious user being able to set the status without cost.
//lock swap-in token to the swap module
escrowAddr := types.GetEscrowAddress(pool.EncounterPartyPort, pool.EncounterPartyChannel)
k.bankKeeper.SendCoinsFromAccountToModule(ctx, sdk.MustAccAddressFromBech32(msg.Sender), escrowAddr.String(), sdk.NewCoins(*msg.TokenIn))
//constructs the IBC data packet
rawMsgData, err := json.Marshal(msg)
if err != nil {
return nil, err
}Impact
This results in users being able to successfully swap without having a sufficient balance.
Likelihood
This attack can be done by any user who does not have sufficient balance.
Related links
Ethics
Sorry for using github to report this vul, as I didn't find your security channle and all the effective ways to report it at that time. However, I have observed that your main-net was not online at that time, so reported the issue via github. Hope you don't mind.