Submission Details
Severity:
`TempleTeleporter._lzReceive` assumes `to` address length incorrectly.
Summary
TempleTeleporter._lzReceive assumes to address length incorrectly.
Vulnerability Details
TempleTeleporter.send converts to in the message from 20 bytes to 32 bytes.
address _to = _sendParam.to.bytes32ToAddress();
However, TempleTeleporter._lzReceive assumes that to is 20 bytes.
(address _recipient, uint256 _amount) = abi.decode(_payload, (address, uint256));
Impact
abi.decode(_payload, (address, uint256)) will revert because it tries converting 64-byte_payload into (20 + 32)
bytes.
Tools Used
Manual review
Recommendations
LayerZero uses bytes32 for broad compatibility with non-EVM chains. Therefore, keep the to address as bytes32 in the message.
- (address _recipient, uint256 _amount) = abi.decode(_payload, (address, uint256));
+ (bytes32 _recipientBytes, uint256 _amount) = abi.decode(_payload, (bytes32, uint256));
+ address _recipient = _recipientBytes.bytes32ToAddress();
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Reason: Incorrect statement
Assigned finding tags:
`abi.encodePacked` to encode it while on the recieving it uses `abi.decode()` to decode the payload and it doesn't work like that
Prize pool breakdown
Total prize
25,000 USDC
nSLOC
99825
USDC / LOC
20,000 USDC
2,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.