TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: low
Invalid

An attacker can permanently DoS the LayerZero communication channel

## Summary
Based on LayerZero docs for [Message Ordering](https://docs.layerzero.network/v1/home/concepts/messaging-properties#message-ordering): "the message order nonce is shared by all dstUA on the same dstChain. That's why a STORED message blocks the message pathway from srcUA to all dstUA on the same destination chain. If it isn't necessary to preserve the sequential nonce property for a particular dstUA the sender must add the nonce into the payload and handle it end-to-end within the UA. UAs can implement a non-blocking pattern in their contract code."
In simple words, because the nonce is shared if a single message encounters an error, subsequent messages cannot proceed for a certain channel until the issue is resolved.
## Vulnerability Details
The problem lies in the `TempleTeleporter::teleport()` function, which is used for cross-chain transfer of Temple tokens on Mainnet-Arbitrum channel.
```javascript
function teleport(
uint32 dstEid,
address to,
uint256 amount,
bytes calldata options
) external payable override returns(MessagingReceipt memory receipt) {
if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }
if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }
// Encodes the message before invoking _lzSend.
bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);
// debit
temple.burnFrom(msg.sender, amount);
emit TempleTeleported(dstEid, msg.sender, to, amount);
receipt = _lzSend(dstEid, _payload, options, MessagingFee(msg.value, 0), payable(msg.sender));
}
```
As can be seen the nonce recommendation from LayerZero is not implemented in the `payload` hashing, that means if one message fails, the following ones will do also. So if an attacker delibately fails a message transaction, the Mainnet-Arbitrum channel will be blocked forever thus making it completely unusable.
As can be seen in the teleporter contract, the non-blocking recommendation is not utilized anywhere in code: https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/TempleTeleporter.sol
## Impact
- High: an attacker can block permanently a channel between chains
## Tools Used
LayerZero documentation
## Recommendations
Utilize nonce in the bytes payload or use the [non-blocking approach](https://github.com/LayerZero-Labs/solidity-examples/blob/main/contracts/lzApp/NonblockingLzApp.sol) recommended by LayerZero
Updates

Lead Judging Commences

inallhonesty Lead Judge
12 months ago
inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Not using the Non-Blocking Implementation might get the teleporter stuck

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.