TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Teleport function would return a wrong error message when a wrong token is used for fee resulting in temporal denial of service

sabit

Summary

The teleport function returns an inappropriate error message when a wrong token is used to pay fee.

Vulnerability Details

A native token is expected to be used to pay fees when a user calls the teleport function. However, when a non-native token is used, the function reverts.

https://github.com/Cyfrin/2024-07-templegold/blob/6c3980a0486c01114d0ef1281df188b6c01991e6/protocol/contracts/templegold/TempleTeleporter.sol#L57C19-L57C26

This is because the teleport function calls _lzSend function which in turn calls the _payNative function:

function _lzSend(

uint32 _dstEid,

bytes memory _message,

bytes memory _options,

MessagingFee memory _fee,

address _refundAddress

) internal virtual returns (MessagingReceipt memory receipt) {

// @dev Push corresponding fees to the endpoint, any excess is sent back to the _refundAddress from the endpoint.

uint256 messageValue = _payNative(_fee.nativeFee);

if (_fee.lzTokenFee > 0) _payLzToken(_fee.lzTokenFee);

return

// solhint-disable-next-line check-send-result

endpoint.send{ value: messageValue }(

MessagingParams(_dstEid, _getPeerOrRevert(_dstEid), _message, _options, _fee.lzTokenFee > 0),

_refundAddress

);

}

function _payNative(uint256 _nativeFee) internal virtual returns (uint256 nativeFee) {if (msg.value != _nativeFee) revert NotEnoughNative(msg.value);return _nativeFee;}

However, there is a wrong error message in the _payNative function that is returned when a wrong token is used as msg.value to pay fees:

if (msg.value != _nativeFee) revert NotEnoughNative(msg.value);

The error message would be "NotEnoughNative(msg.value); instead of something like "WrongToken(msg.value):

Impact

Misleading error message is displayed when the teleport function is called with a wrong token to pay fee. This misleads a user. A user would think the fee value sent is "NotEnough" when in actual sense, a wrong token was sent. This could cause temporal denial of service because a user would believe there isn't actually enough token sent as msg.value for the fee. And this could take a lot of time before a user discovers the actual cause of the issue.

Tools Used

Manual review

Recommendations

Appropriate error message should be displayed when a wrong token is used to pay fee.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.