TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Cross-Chain Message Encoding/Decoding Mismatch in #TempleTeleporter Contract

0xPkhatri4

Summary

The contract TempleTeleporter.sol inconsistently handles address encoding and decoding across its cross-chain messaging functions, which could potentially lead to transaction failures, possible loss of funds, and complete system breakdown.

Vulnerability Details

In the teleport function, the recipient address is encoded using addressToBytes32():

bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);

However, the _lzReceive function attempts to decode the address directly

(address _recipient, uint256 _amount) = abi.decode(_payload, (address, uint256));

Additionally, in the quote function, the address is not encoded using addressToBytes32().

return _quote(_dstEid, abi.encodePacked(_to, _amount), _options, false);

This mismatch causes the _lzReceive function to incorrectly interpret the incoming data, as it's expecting a 20-byte address but receiving a 32-byte value.

Impact

This vulnerability will cause all incoming cross-chain transfers to fail, rendering the core functionality of the contract inoperable.
this will lead to token burn but not minted to other chain and user will loss fund
The quote function also calculates the fee incorrectly.

Tools Used

Manual code review

Recommendations

Update the _lzReceive function to correctly decode the bytes32 address:

function _lzReceive(

Origin calldata /*_origin*/,

bytes32 /*_guid*/,

bytes calldata _payload,

address /*_executor,*/,

bytes calldata /*_extraData */

) internal override {

(bytes32 _recipientBytes32, uint256 _amount) = abi.decode(_payload, (bytes32, uint256));

address _recipient = address(uint160(uint256(_recipientBytes32)));

temple.mint(_recipient, _amount);

}

Update the quote function to correctly encode the bytes32 address:

function quote(

uint32 _dstEid,

address _to,

uint256 _amount,

bytes memory _options

) external view returns (MessagingFee memory fee) {

return _quote(_dstEid, abi.encodePacked(_to.addressToBytes32(), _amount), _options, false);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect payload bytes in `quote()` they use `abi.encodePacked(_to, _amount)` instead of `abi.encodePacked(_to.addressToBytes32(), _amount)`

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.