TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Validation Issue in `_sendParam` Fields in send Function of `TempleGold` Contract

0xbeastboy

Summary

The send function in the TempleGold contract fails to adequately validate critical fields within the _sendParam parameter, specifically the destination chain ID (_sendParam.dstEid) and the amounts (_sendParam.amountLD and _sendParam.minAmountLD). This oversight can lead to unexpected behavior, vulnerabilities, or disruptions in cross-chain token transfers.

Vulnerability Details

The send function facilitates cross-chain transfers of Temple Gold tokens (TGLD) by interacting with the LayerZero endpoint. However, it lacks proper validation for essential parameters within _sendParam, which can result in the following vulnerabilities:

The function does not verify if the provided destination chain ID (_sendParam.dstEid) is within acceptable ranges or supported configurations. This omission can lead to transfers being routed to unintended or invalid destinations.

Similarly, the function does not enforce constraints on the amounts (_sendParam.amountLD and _sendParam.minAmountLD) being transferred. This can result in transfers of invalid or insufficient token amounts, potentially affecting transaction integrity or user expectations.

See the following code:

function send(
SendParam calldata _sendParam,
MessagingFee calldata _fee,
address _refundAddress
) external payable virtual override(IOFT, OFTCore) returns (MessagingReceipt memory msgReceipt, OFTReceipt memory oftReceipt) {
if (_sendParam.composeMsg.length > 0) { revert CannotCompose(); }
/// cast bytes32 to address
address _to = _sendParam.to.bytes32ToAddress();
/// @dev user can cross-chain transfer to self
if (msg.sender != _to) { revert ITempleGold.NonTransferrable(msg.sender, _to); }
// @dev Applies the token transfers regarding this send() operation.
// - amountSentLD is the amount in local decimals that was ACTUALLY sent/debited from the sender.
// - amountReceivedLD is the amount in local decimals that will be received/credited to the recipient on the remote OFT instance.
(uint256 amountSentLD, uint256 amountReceivedLD) = _debit(
msg.sender,
_sendParam.amountLD,
_sendParam.minAmountLD,
_sendParam.dstEid
);
// @dev Builds the options and OFT message to quote in the endpoint.
(bytes memory message, bytes memory options) = _buildMsgAndOptions(_sendParam, amountReceivedLD);
// @dev Sends the message to the LayerZero endpoint and returns the LayerZero msg receipt.
msgReceipt = _lzSend(_sendParam.dstEid, message, options, _fee, _refundAddress);
// @dev Formulate the OFT receipt.
oftReceipt = OFTReceipt(amountSentLD, amountReceivedLD);
emit OFTSent(msgReceipt.guid, _sendParam.dstEid, msg.sender, amountSentLD, amountReceivedLD);
}

Impact

Transfers may be directed to incorrect or unsupported destinations, resulting in loss of funds or failed transactions. Invalid amounts transferred can lead to unexpected financial outcomes or discrepancies in token balances. Exploitation of validation gaps could be leveraged by malicious actors to manipulate transactions or disrupt contract operations.

Tools Used

Manual Review

Recommendations

Implement checks to ensure that _sendParam.dstEid is within a predefined range of valid chain IDs or supported configurations. Validate _sendParam.amountLD and _sendParam.minAmountLD to ensure they meet predefined criteria, such as minimum transaction amounts or within available token balances.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.