TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Msg.Value Check Teleport

1337web3

Summary

The TempleTeleporter::teleport function does not verify if the provided msg.value is sufficient to cover the necessary fees for cross-chain teleportation. This oversight can lead to increased gas costs and unclear error handling.

Vulnerability Details

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/TempleTeleporter.sol#L43

The teleport function requires a certain amount of msg.value to be sent to cover the execution and transfer fees on both the source and destination chains. However, there is no check within the function to ensure that the supplied msg.value is adequate. The quote function can be used to estimate the necessary value, but it is not utilized in the teleport function to validate the provided msg.value.

Impact

Failure to check if msg.value is sufficient can lead to unsuccessful transactions, increased gas costs, and unclear error messages, causing confusion for users and potentially leading to loss of funds due to failed transactions.

Tools Used

Manual Review

Recommendations

Add a call to the quote function within the teleport function to check if the supplied msg.value is enough to cover the required fees. This will help reduce gas costs and make error handling clearer. Below is the updated teleport function with the recommended check:

/**

* @notice Teleport temple tokens cross chain

* Enough msg.value needs to be sent through to cover completing execution and the transfer by endpoint and on the destination chain.

* This value can be estimated via the `quote()` function.

* @dev Temple tokens are burned from source chain and minted on destination chain

* @param dstEid Destination chain id

* @param to Recipient

* @param amount Amount of tokens

* @param options LZ extra options

function teleport(

uint32 dstEid,

address to,

uint256 amount,

bytes calldata options

) external payable override returns (MessagingReceipt memory receipt) {

if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }

if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }

+ // Calculate the required fee using the quote function

+ MessagingFee memory requiredFee = quote(dstEid, abi.encodePacked(to.addressToBytes32(), amount), options);

+ // Check if the supplied msg.value is sufficient

+ if (msg.value < requiredFee.nativeFee) {

+ revert CommonEventsAndErrors.InsufficientValue();

+ }

// Encodes the message before invoking _lzSend.

bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);

// debit

temple.burnFrom(msg.sender, amount);

emit TempleTeleported(dstEid, msg.sender, to, amount);

receipt = _lzSend(dstEid, _payload, options, MessagingFee(msg.value, 0), payable(msg.sender));

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Fee validation issue in send

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.