Summary

The TempleTeleporter contract facilitates cross-chain transfer of Temple tokens (TEM) using LayerZero integration. It includes functions for teleporting tokens to a specified destination chain and estimating transaction fees through the quote function. The issue revolves around the lack of validation and error handling in the teleport function when interacting with the LayerZero endpoint for fee calculation (quote function). Specifically, the contract does not utilize the quote function to check and ensure that the provided msg.value is sufficient to cover the transaction fees on the destination chain.

Vulnerability Details

In the teleport function, after burning the tokens and before invoking _lzSend to initiate the cross-chain transfer, there is no validation of whether the provided msg.value (for gas and transaction fees) is sufficient for the transaction to succeed on the destination chain. Without checking the estimated fees using the quote function, there is a risk that the transaction could fail due to insufficient msg.value, potentially leaving the user's tokens burned without completing the teleportation process. Proper validation through the quote function ensures that users are informed about the required fees upfront, reducing the likelihood of failed transactions and enhancing the security and reliability of the teleportation process.

See the following code:

Impact

Users risk losing their tokens if the teleport transaction fails due to insufficient msg.value to cover the transaction fees on the destination chain. Lack of fee validation undermines the reliability of the teleportation process, potentially leading to user dissatisfaction and loss of trust in the application.

Tools Used

Manual Review

Recommendations

Modify the teleport function to include a call to the quote function before invoking _lzSend. This ensures that the contract checks and validates the required msg.value against the estimated fees for successful transaction execution on the destination chain.