Submission Details
Severity:
check bytes data length before abi.decode
Summary
The data length is not checked before abi.decode, which could result in wrong address being decoded, and lose some amount, or fail the transaction.
Vulnerability Details
lzReceive() does not check payload length before decoding, if bytes data is provided, the recipient address could be wrong and lose the recipient amount. Or get wrong recipient.
function _lzReceive(
Origin calldata /*_origin*/,
bytes32 /*_guid*/,
bytes calldata _payload,
address /*_executor,*/, // Executor address as specified by the OApp.
bytes calldata /*_extraData */ // Any extra data or options to trigger on receipt.
) internal override {
// Decode the payload to get the message
(address _recipient, uint256 _amount) = abi.decode(_payload, (address, uint256));
temple.mint(_recipient, _amount);
}
Impact
Some amount could be lost if decoded the wrong address, such as the recipient.
Some function call might fail if adapter is wrongly decoded.
Tools Used
Manual Review
Recommendations
Add check for the bytes data length before abi.decode.
Updates
Lead Judging Commences
inallhonesty 11 months ago
Submission Judgement Published Reason: Incorrect statement
Assigned finding tags:
`abi.encodePacked` to encode it while on the recieving it uses `abi.decode()` to decode the payload and it doesn't work like that
Prize pool breakdown
Total prize
25,000 USDC
nSLOC
99825 USDC / LOC
20,000 USDC
2,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.