TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: low
Invalid

Insufficient Fee Validation in send() Function

Summary

The send() function of the TempleGold.sol contract does not perform sufficient validation on the _fee parameter. This lack of validation allows malicious users to provide an insufficient fee, potentially leading to financial losses for the contract. The absence of a minimum fee check creates a vulnerability that can be exploited by sending minimal fees (e.g., 0 or 1 wei), causing the contract to subsidize the remaining cost.

Vulnerability Details

The _fee parameter is passed to the _lzSend function without any validation to ensure it meets a minimum threshold. This allows users to set an arbitrarily low fee.

A malicious user can exploit this vulnerability by sending a minimal fee (e.g., 0 or 1 wei) when calling the send function. The contract will then deduct the remainder of the actual fee required for processing the message from its own balance, resulting in a financial loss.

Impact

he contract will incur additional costs to cover the fees that should have been paid by the user. Over time, this can lead to significant financial depletion of the contract’s funds. And furthermore if the contract's funds are exhausted, it may not be able to process further messages.

Tools Used

Manul

Recommendations

  • It is recommended to validate that _fee meets a predefined minimum threshold before calling _lzSend.

  • Or determine a reasonable minimum fee based on the operational costs of processing a message and refund the excess amount (if any)

+ int256 constant MINIMUM_FEE = 1000; // Example minimum fee
function send(
SendParam calldata _sendParam,
MessagingFee calldata _fee,
address _refundAddress
) {
...
+ require(_fee.amount >= MINIMUM_FEE, "Insufficient fee provided");
...
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Fee validation issue in send

Appeal created

namx05 Submitter
11 months ago
inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Fee validation issue in send

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.