TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`TempleGold.send()` will result in bridging `$TGLD` to a wrong address if the sender is an AA wallet

0xhals

## Summary

`TempleGold.send()` will result in bridging `$TGLD` to a wrong address if the sender is an AA wallet as the function enforces that the receiver on the destination chain is the same address of the sender on the source chain.

## Vulnerability Details

- Users can bridge their `$TGLD` tokens between networks via `TempleGold.send()` function, where different checks are made before bridging these tokens, and one of the checks is checking that the sender address on the source chain is the same address that will receive the bridged tokens on the destination chain, and this check is done as the `$TGLD` tokens are not meant to be transferred between users (non-transferrable token):

```javascript

//@note : TempleGold.send()

function send(

SendParam calldata _sendParam,

MessagingFee calldata _fee,

address _refundAddress

)

external

payable

virtual

override(IOFT, OFTCore)

returns (MessagingReceipt memory msgReceipt, OFTReceipt memory oftReceipt)

{

//....

/// cast bytes32 to address

address _to = _sendParam.to.bytes32ToAddress();

/// @dev user can cross-chain transfer to self

if (msg.sender != _to) {

revert ITempleGold.NonTransferrable(msg.sender, _to);

}

//....

}

```

- But there's an issue with this mechanism:

Users who bridge their `$TGLD` tokens with "EOAs" (externally owned accounts) will be using the same address that is created on all evm chains for these accounts, but users of **account abstraction wallets** (which are unique smart contract instances deployed on individual chains) will have different addresses on different chains.

## Impact

So by enforcing the sender address on the source chain to be the receiver address on the destination chain without checking if the user is interacting with an AA wallet (as there's no check in the `TempleGold.send()` function to ensure that the caller is not a contract) will result in bridged `$TGLD` tokens to be minted to a wrong address on the destination chain.

## Tools Used

Manual Review.

## Recommendations

Update `TempleGold.send()` function **to revert if the caller is a contract** to protect users from losing their `$TGLD` on the source chain as it will be minted to a wrong receiver (not their AA wallet) on the destination chain.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Account abstraction, Multisig, Any other contract based solution that doesn't share the same address across chains will lose it's TGLD in teleport.

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.