TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

An attacker can permanently DoS the LayerZero communication channel

dimah7

## Summary

Based on LayerZero docs for [Message Ordering](https://docs.layerzero.network/v1/home/concepts/messaging-properties#message-ordering): "the message order nonce is shared by all dstUA on the same dstChain. That's why a STORED message blocks the message pathway from srcUA to all dstUA on the same destination chain. If it isn't necessary to preserve the sequential nonce property for a particular dstUA the sender must add the nonce into the payload and handle it end-to-end within the UA. UAs can implement a non-blocking pattern in their contract code."

In simple words, because the nonce is shared if a single message encounters an error, subsequent messages cannot proceed for a certain channel until the issue is resolved.

## Vulnerability Details

The problem lies in the `TempleTeleporter::teleport()` function, which is used for cross-chain transfer of Temple tokens on Mainnet-Arbitrum channel.

```javascript

function teleport(

uint32 dstEid,

address to,

uint256 amount,

bytes calldata options

) external payable override returns(MessagingReceipt memory receipt) {

if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }

if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }

// Encodes the message before invoking _lzSend.

bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);

// debit

temple.burnFrom(msg.sender, amount);

emit TempleTeleported(dstEid, msg.sender, to, amount);

receipt = _lzSend(dstEid, _payload, options, MessagingFee(msg.value, 0), payable(msg.sender));

}

```

As can be seen the nonce recommendation from LayerZero is not implemented in the `payload` hashing, that means if one message fails, the following ones will do also. So if an attacker delibately fails a message transaction, the Mainnet-Arbitrum channel will be blocked forever thus making it completely unusable.

As can be seen in the teleporter contract, the non-blocking recommendation is not utilized anywhere in code: https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/TempleTeleporter.sol

## Impact

- High: an attacker can block permanently a channel between chains

## Tools Used

LayerZero documentation

## Recommendations

Utilize nonce in the bytes payload or use the [non-blocking approach](https://github.com/LayerZero-Labs/solidity-examples/blob/main/contracts/lzApp/NonblockingLzApp.sol) recommended by LayerZero

Updates

Lead Judging Commences

inallhonesty Lead Judge

12 months ago

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

Not using the Non-Blocking Implementation might get the teleporter stuck

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.