TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

`quote` is implemented wrongly

pyro

Summary

TempleTeleporter::quote function is implemented wrong, quoting for less gas, potentially causing LZ to revert as the real needed gas is more than the quoted one.

Vulnerability Details

quote gives the wrong quote as it encodes the to address together with the amount in their raw forms.
https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/TempleTeleporter.sol#L87

function quote(uint32 _dstEid, address _to, uint256 _amount, bytes memory _options)
external view returns (MessagingFee memory fee) {
//@audit `to` is an address and not bytes32 ?
return _quote(_dstEid, abi.encodePacked(_to, _amount), _options, false);
}

However the real messages are sent with their addresses converted to bytes32 using bytes32ToAddress().

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/TempleTeleporter.sol#L55

bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);
temple.burnFrom(msg.sender, amount);
emit TempleTeleported(dstEid, msg.sender, to, amount);
receipt = _lzSend(dstEid, _payload, options, MessagingFee(msg.value, 0), payable(msg.sender));

This will return a wrong quote, either too small or too big, which can cause a mismatch between the msg.value our users provide and the real msg.value that is needed by LZ to execute the TX.

Impact

quote does not send accurate quotes.

Tools Used

Manual review

Recommendations

Fix the encoding to encode to as bytes32.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Incorrect payload bytes in `quote()` they use `abi.encodePacked(_to, _amount)` instead of `abi.encodePacked(_to.addressToBytes32(), _amount)`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.