TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: high
Valid

Bridged Temple Gold could be lost for smart wallet users

Summary

Temple Gold (TGLD) can only be bridged to the same recipient account as the source account, which could be conflicting for some smart wallet implementations and potentially lead to loss of funds.

Vulnerability Details

The Temple Gold token is by design non-transferrable. Since the token can also be bridged using LayerZero, bridging is hardwired to the same recipient address as the source.

281: function send(
282: SendParam calldata _sendParam,
283: MessagingFee calldata _fee,
284: address _refundAddress
285: ) external payable virtual override(IOFT, OFTCore) returns (MessagingReceipt memory msgReceipt, OFTReceipt memory oftReceipt) {
286: if (_sendParam.composeMsg.length > 0) { revert CannotCompose(); }
287: /// cast bytes32 to address
288: address _to = _sendParam.to.bytes32ToAddress();
289: /// @dev user can cross-chain transfer to self
290: if (msg.sender != _to) { revert ITempleGold.NonTransferrable(msg.sender, _to); }

Normally, this is ok for EOAs since the owner holds the keys to eventually sign transactions in other chains. However, the same is not true for wallets that are implemented using smart contracts. These accounts are contracts that have an address which is dependent on the specifics of how these contracts are deployed in each chain.

Safe wallets are one the most popular products in their category with currently nearly 10M deployed accounts. These types of contracts are not guaranteed to have the same addresses in different chains, or in other words ownership of an account is not guaranteed to be the same cross-chain. A good reference is the Optimism Wintermute incident, in which tokens were sent to a Safe account address but in another chain. Attackers eventually brute forced the deployment to match the account address and stole the tokens.

Impact

Bridged TempleGold tokens could be lost for accounts using smart contracts, as account ownership is not guaranteed across chains.

Tools Used

None.

Recommendations

Consider allowing an arbitrary recipient for cross-chain bridging, while enforcing, once first settled, a unique path to prevent abuses. For example, if tokens are bridged from accounts A -> B, then the way back must be restricted to B -> A. Subsequent bridging must also follow the same route.

TODO
https://code4rena.com/reports/2023-09-ondo#m-02-all-bridged-funds-will-be-lost-for-the-users-using-the-account-abstraction-wallet

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Account abstraction, Multisig, Any other contract based solution that doesn't share the same address across chains will lose it's TGLD in teleport.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.