Submission Details
Severity:
LayerZero refund address is not handled correctly
Vulnerability details
function teleport(
uint32 dstEid,
address to,
uint256 amount,
bytes calldata options
) external payable override returns(MessagingReceipt memory receipt) {
if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }
if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }
// Encodes the message before invoking _lzSend.
bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);
// debit
temple.burnFrom(msg.sender, amount);
emit TempleTeleported(dstEid, msg.sender, to, amount);
receipt = _lzSend(dstEid, _payload, options, MessagingFee(msg.value, 0), payable(msg.sender));
}
The tokens refunded to msg.sender may not be recoverable if the caller doesn' have control over it (for example, when caller is using a multisig wallet contract or the transaction is sent by other address).
Proof of Concept
receipt = _lzSend(
dstEid,
_payload,
options,
MessagingFee(msg.value, 0),
payable(msg.sender) //@audit msg.sender
)
msg.sender is set as refund address which might not be controlled by user.
Impact
The refund address is incorrectly set. The original user loses refund layerzero fees.
Recommended Mitigation Steps
Set the LayerZero refund address to a user input address:
receipt = _lzSend(
dstEid,
_payload,
options,
MessagingFee(msg.value, 0),
refundAddress // <-- user input address
)
Updates
Prize pool breakdown
Total prize
25,000 USDC
nSLOC
99825 USDC / LOC
20,000 USDC
2,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.