TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: high
Valid

Protocol is NOT compliant with multisigs and some AA wallets

Summary

Protocol is NOT compliant with multisigs and some Acount Abstraction wallets, because they have different addresses on other chains

Vulnerability Details

By design the protocol token TGLD is NOT transferable between users. It can only be transfered if one of to or from is whitelisted - protocol auctions, temple gold contract itself.

TGLD can only be minted on Arbitrum however it can be transfered crosschain to use for some of the autions and/or staking.
In order to keep TGLD from being transferred between users the crosschain transfer only offers transfers if the receiver address on the destination chain is the msg.sender on the current chain.

function send(
SendParam calldata _sendParam,
MessagingFee calldata _fee,
address _refundAddress
) external payable virtual override(IOFT, OFTCore) returns (MessagingReceipt memory msgReceipt, OFTReceipt memory oftReceipt) {
if (_sendParam.composeMsg.length > 0) { revert CannotCompose(); }
/// cast bytes32 to address
address _to = _sendParam.to.bytes32ToAddress();
/// @dev user can cross-chain transfer to self
=> if (msg.sender != _to) { revert ITempleGold.NonTransferrable(msg.sender, _to); }

This is problematic since multisig wallets (and some) have different addresses on different chains.

Multisig participants will lose their tokens, because target address on destination chain is not owned by them or does not even exist - hence tokens lost.

Impact

Lost rewards for participants, who use multisig wallets. Also the problem could occur in some account abstraction wallets.

Tools Used

Manual Review

Recommendations

Since the TGLD token is not transferable between users let users chose only one address to which they can transfer instead of transferring to the msg.sender

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Account abstraction, Multisig, Any other contract based solution that doesn't share the same address across chains will lose it's TGLD in teleport.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.