TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect payload bytes in `quote()`

mt030d

Summary

The quote() function in the TempleTeleporter contract would returns an incorrect fee estimation due to the use of an incorrect payload bytes.

Vulnerability Details

https://github.com/Cyfrin/2024-07-templegold/blob/6c3980a0486c01114d0ef1281df188b6c01991e6/protocol/contracts/templegold/TempleTeleporter.sol#L87-L94

function quote(
uint32 _dstEid,
address _to,
uint256 _amount,
bytes memory _options
) external view returns (MessagingFee memory fee) {
return _quote(_dstEid, abi.encodePacked(_to, _amount), _options, false);
}

The quote() function uses abi.encodePacked(_to, _amount) as payload bytes for quoting. However, the actural payload bytes in teleport() is abi.encodePacked(to.addressToBytes32(), amount), which is equivalent to abi.encode(_to, _amount).

As a result, users would receive an incorrect fee estimation from quote().

Impact

Since the fee quotation in quote() is incorrect, using this value as the msg.value in teleport() might cause the transaction to fail. This could result in unnecessary gas fees for the user and compromise their experience.

Tools Used

Manual review

Recommendations

Update the payload calculation in quote() as follows:

function quote(
uint32 _dstEid,
address _to,
uint256 _amount,
bytes memory _options
) external view returns (MessagingFee memory fee) {
- return _quote(_dstEid, abi.encodePacked(_to, _amount), _options, false);
+ return _quote(_dstEid, abi.encodePacked(_to.addressToBytes32(), _amount), _options, false);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Incorrect payload bytes in `quote()` they use `abi.encodePacked(_to, _amount)` instead of `abi.encodePacked(_to.addressToBytes32(), _amount)`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.