Permanent loss of TGLD if using an account abstraction wallet
Summary
TempleGold::send(...) sends TGLD to the wrong address if using an account abstraction wallet.
Vulnerability Details
TempleGold::send(...) is an overridden OFT function. It sends TGLD from a source chain to a target chain. Here's a stripped-out version:
It assumes a user has the same address on every EVM target chain. However, the assumption is not true for account abstraction wallets.
The list of LayerZero V2 deployed endpoints includes EID 30165. It corresponds to zkSync era mainnet, which has native account abstraction. On this chain, users have different addresses than their Ethereum ones due to native account abstraction.
As a result, if TGLD is sent to zkSync era for example, msg.sender != _to condition will be bypassed. TGLD is sent to the wrong address and is permanantly lost, potentially making someone else super rich.
Impact
Users lose TGLD permanently.
TGLD serves as "points" within Temple, meaning users lose utility such as to bid in auctions (DaiGold Auctions and Spice Auctions) and to redeem volatile assets from Temple treasury.
Users take a hit paying gas fees.
Tools Used
Manual review.
LayerZero V2 docs.
Recommendations
Give the user the option to pass in a recipient address, set only by the user:
Lead Judging Commences
Account abstraction, Multisig, Any other contract based solution that doesn't share the same address across chains will lose it's TGLD in teleport.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.