TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: high
Invalid

Temple Gold Tokens can be transferred to a different address from the sender on another chain through the teleport function

Summary

There's a vulnerabiity in the teleport function that allows the msg.sender to transfer Temple Gold Tokens to a different address on another chain.

Vulnerability Details

The teleport function is designed to allow users to transfer Temple Gold tokens across different blockchain networks using LayerZero integration. However, the current implementation does not enforce the rule that users can only transfer to their own address on the destination chain.

A holder can only transfer cross-chain to their own address.

https://github.com/TempleDAO/temple/blob/templegold/protocol/contracts/templegold/README.md

Here's the teleport function signature:

function teleport(uint32 dstEid,address to,uint256 amount,bytes calldata options) external payable override returns(MessagingReceipt memory receipt)

Here are the problematic lines within the teleport function:

bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);
// ...
emit TempleTeleported(dstEid, msg.sender, to, amount);



The bug exists because the teleport function allows the caller to specify an arbitrary to address (which can be different from the sender's address), which is then encoded into the _payload and used in the TempleTeleported event. This to address is passed through the LayerZero messaging system to the destination chain, where it will be used to mint tokens to the specified address.


Impact

Temple Gold Token can be transferred to an address different from that of the owner and traded on decentralized exchange. This can drastically affect its value.

Tools Used

Manual review

Recommendations

It is suggested that the teleport function is modified to check that the to parameter is equal to msg.sender:

function teleport(
uint32 dstEid,
address to,
uint256 amount,
bytes calldata options
) external payable override returns(MessagingReceipt memory receipt) {
if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }
if (to != msg.sender) { revert CommonEventsAndErrors.InvalidAddress(); }
// Encodes the message before invoking _lzSend.
bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);
// debit
temple.burnFrom(msg.sender, amount);
emit TempleTeleported(dstEid, msg.sender, to, amount);

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.