Smart contracts TGLDs sent across chains might be lost
Lines Of Code
https://github.com/TempleDAO/temple/blob/3768698e6d78ba1340a57406e5961a0e2faba212/protocol/contracts/templegold/TempleGold.sol#L277-L307
Summary
Smart contracts TGLDs sent across chains might be lost.
Vulnerability Details
If the sender is also the receiver, TempleGold allow any address to send TGLD. It perfectly works for EOA but not so for smart contract because there are many smart contracts that have been created with the create method as before the Byzantium hard fork of Ethereum.
This prevents some users from performing from sending their TGLD across chains and since TempleGold is and ERC20 smart contract, it implicitly allows EOA and smart contract to send their tokens. There is no mention that smart contract are prevented from this feature.
Impact
Smart contracts created with the create method lose funds when sending TGLD across chains.
Tools Used
Manual review.
Recommendations
Expose a method for transferring TGLD from smart contracts created with the create method or clearly state that such contract cannot send TGLD otherwise.
Lead Judging Commences
Account abstraction, Multisig, Any other contract based solution that doesn't share the same address across chains will lose it's TGLD in teleport.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.