TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Temple Gold Tokens can be transferred to a different address from the sender on another chain through the teleport function

sabit

Summary

There's a vulnerabiity in the teleport function that allows the msg.sender to transfer Temple Gold Tokens to a different address on another chain.

Vulnerability Details

The teleport function is designed to allow users to transfer Temple Gold tokens across different blockchain networks using LayerZero integration. However, the current implementation does not enforce the rule that users can only transfer to their own address on the destination chain.

A holder can only transfer cross-chain to their own address.

https://github.com/TempleDAO/temple/blob/templegold/protocol/contracts/templegold/README.md

Here's the teleport function signature:

function teleport(uint32 dstEid,address to,uint256 amount,bytes calldata options) external payable override returns(MessagingReceipt memory receipt)

Here are the problematic lines within the teleport function:

bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);
// ...
emit TempleTeleported(dstEid, msg.sender, to, amount);

The bug exists because the teleport function allows the caller to specify an arbitrary to address (which can be different from the sender's address), which is then encoded into the _payload and used in the TempleTeleported event. This to address is passed through the LayerZero messaging system to the destination chain, where it will be used to mint tokens to the specified address.

Impact

Temple Gold Token can be transferred to an address different from that of the owner and traded on decentralized exchange. This can drastically affect its value.

Tools Used

Manual review

Recommendations

It is suggested that the teleport function is modified to check that the to parameter is equal to msg.sender:

function teleport(
uint32 dstEid,
address to,
uint256 amount,
bytes calldata options
) external payable override returns(MessagingReceipt memory receipt) {
if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }
if (to != msg.sender) { revert CommonEventsAndErrors.InvalidAddress(); }
// Encodes the message before invoking _lzSend.
bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);
// debit
temple.burnFrom(msg.sender, amount);
emit TempleTeleported(dstEid, msg.sender, to, amount);

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.