TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Wrong decoding of payload

turvec

Summary

wrong decoding of payload

Context:
TempleTeleporter.sol#L52
TempleTeleporter.sol#L107

Vulnerability Details

The TempleTeleporter.sol::teleport() before invoking _lzSend encodes the payload to be sent, as a (bytes32, uint256) format due to converting the to address type to bytes32() to support for non-EVM chains:

// Encodes the message before invoking _lzSend.

bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);

However, was decoded in a (address, uint256) on the _lzReceive():

// Decode the payload to get the message

(address _recipient, uint256 _amount) = abi.decode(_payload, (address, uint256));

This causes a mismatch in the payload sent and received.

For example:
Consider an example where the address is 0x1234567890abcdef1234567890abcdef12345678 and the amount is 1000.

Encoding:
The address is padded to 32 bytes: 0x0000000000000000000000001234567890abcdef1234567890abcdef12345678.

The amount (1000) as uint256 is 0x00000000000000000000000000000000000000000000000000000000000003e8.

The resulting _payload will be:
0x0000000000000000000000001234567890abcdef1234567890abcdef12345678000000000000000000000000000000000000000000000000000000000000003e8

Decoding:
When decoding, Solidity will interpret the first 20 bytes as the address, leading to:
_recipient = 0x0000000000000000000000001234567890abcdef12345678

This is incorrect because the intended address is 0x1234567890abcdef1234567890abcdef12345678

Impact

This causes a mismatch in the payload sent and received.

Tools Used

Maual Review

Recommendations

Ensure the payload is decoded correctly:

// Decode the payload as bytes32 and uint256

(recipientBytes32, _amount) = abi.decode(_payload, (bytes32, uint256));

// Convert bytes32 back to address

address _recipient = address(uint160(uint256(recipientBytes32)));

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

`abi.encodePacked` to encode it while on the recieving it uses `abi.decode()` to decode the payload and it doesn't work like that

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.