TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: high
Invalid

TempleTeleporter lacks support for enforced options

Summary

The implementation of TempleTeleporter inherits from LayerZero's OApp which doesn't bring support for enforced options by default.

Vulnerability Details

Unlike OFT applications used in the TempleGold implementation, bare LayerZero's OApp do not include by default handling for enforced options. As stated in their documentation, enforced options are the way in which protocol owners can set the requirements for user input options set while bridging messages.

Once you determine ideal message _options, you will want to make sure users adhere to it. In the case of OApp, you mostly want to make sure the gas amount you have included in _options for the lzReceive call can be enforced for all callers of _lzSend, to prevent reverts.

The setEnforcedOptions function allows the contract owner to specify mandatory execution options, making sure that the application behaves as expected when users interact with it.

Execution options control different aspects of the messaging, in particular gas options used to cover gas and fees costs.

Impact

User options used to call teleport() and forward to _lzSend() cannot be validated and enforced by the owners of the contract. Failure to set proper gas options could lead to reverts in the destination chain, causing loss of funds.

Tools Used

None.

Recommendations

Implement support for enforced options as detailed in the LayerZero's documentation.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

adriro Submitter
11 months ago
inallhonesty Lead Judge
11 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.