TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

abi encoding is done without address conversion in layerzero quote function

hyperhorse

Summary

abi encoding is done without address conversion in layerzero quote function

Vulnerability Detail

The teleport function of TempleTeleporter sends abi.encodePacked(to.addressToBytes32(), amount) as the payload

link

function teleport(
uint32 dstEid,
address to,
uint256 amount,
bytes calldata options
) external payable override returns(MessagingReceipt memory receipt) {
if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }
if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }
// Encodes the message before invoking _lzSend.
=> bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);
// debit
temple.burnFrom(msg.sender, amount);
emit TempleTeleported(dstEid, msg.sender, to, amount);
receipt = _lzSend(dstEid, _payload, options, MessagingFee(msg.value, 0), payable(msg.sender(), amount);

But inside the quote function, the address is used as is without converting to bytes32
link

function quote(
uint32 _dstEid,
address _to,
uint256 _amount,
bytes memory _options
) external view returns (MessagingFee memory fee) {
=> return _quote(_dstEid, abi.encodePacked(_to, _amount), _options, false);
}

This will cause a difference in the quoted fee causing the user to estimate the required fee incorrectly

Impact

Incorrect fee will be sent by the user when teleporting tokens

Tool used

Manual Review

Recommendation

Use abi.encodePacked(to.addressToBytes32(), amount) instead

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Incorrect payload bytes in `quote()` they use `abi.encodePacked(_to, _amount)` instead of `abi.encodePacked(_to.addressToBytes32(), _amount)`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.