TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: high
Valid

Account Abstraction Wallets Unusable Due to Cross-Chain Feature Implementation on Temple Gold

Summary

The implementation of cross-chain features within Temple Gold renders account abstraction wallets unusable. This affects the core functionality and usability of the wallet system across different blockchain networks. Users with account abstraction wallets have different addresses for the same account across different chains.

Vulnerability Details

Account abstraction wallets are designed to operate on a single blockchain, but the protocol's cross-chain feature implementation does not adequately support these wallets. When a smart wallet tries to bridge a token like Temple Gold there is no guarantee that the user is the owner of the address on the chain to be bridged. An unaware user who uses an account abstraction wallet to send Temple Gold to another chain will lose the token.

function send(
SendParam calldata _sendParam,
MessagingFee calldata _fee,
address _refundAddress
) external payable virtual override(IOFT, OFTCore) returns (MessagingReceipt memory msgReceipt, OFTReceipt memory oftReceipt) {
if (_sendParam.composeMsg.length > 0) { revert CannotCompose(); }
/// cast bytes32 to address
@> address _to = _sendParam.to.bytes32ToAddress();
/// @dev user can cross-chain transfer to self
@> if (msg.sender != _to) { revert ITempleGold.NonTransferrable(msg.sender, _to); }
// @dev Applies the token transfers regarding this send() operation.
// - amountSentLD is the amount in local decimals that was ACTUALLY sent/debited from the sender.
// - amountReceivedLD is the amount in local decimals that will be received/credited to the recipient on the remote OFT instance.
(uint256 amountSentLD, uint256 amountReceivedLD) = _debit(
msg.sender,
_sendParam.amountLD,
_sendParam.minAmountLD,
_sendParam.dstEid
);
// @dev Builds the options and OFT message to quote in the endpoint.
(bytes memory message, bytes memory options) = _buildMsgAndOptions(_sendParam, amountReceivedLD);
// @dev Sends the message to the LayerZero endpoint and returns the LayerZero msg receipt.
msgReceipt = _lzSend(_sendParam.dstEid, message, options, _fee, _refundAddress);
// @dev Formulate the OFT receipt.
oftReceipt = OFTReceipt(amountSentLD, amountReceivedLD);
emit OFTSent(msgReceipt.guid, _sendParam.dstEid, msg.sender, amountSentLD, amountReceivedLD);
}

The limitation imposed to restrict users only to send token to the same address across chain is the major issue.

Proof of Concept

  1. Account Abstraction User gets Temple Token through Auction by Sending Dai to DaiGoldAuction

  2. Spice bazaar auctions (bidding TGLD for volatile token) can be on any chain

  3. Account Abstraction User unable to bid TGLD for volatile token or bridge the token and lose it

Impact

Users relying on account abstraction wallets will be unable to perform cross-chain operations, leading to a loss of functionality. This could result in significant user dissatisfaction and a potential decrease in user base, as the wallets will not serve their intended purpose in a multi-chain environment.

There is potential for financial loss if users are unable to access or move their assets due to the cross-chain incompatibility

Tools Used

Manual Review

Recommendations

  1. Document that Account Abstraction and smart contracts wallet cannot use the protocol if the design cannot be changed

  2. Reimplemt the cross-chain send function for users to be able to specify the account they want to bridge the token to.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Account abstraction, Multisig, Any other contract based solution that doesn't share the same address across chains will lose it's TGLD in teleport.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.