TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Quote is not utilized properly

0xtheblackpanther

GitHub
https://github.com/Cyfrin/2024-07-templegold/blob/6c3980a0486c01114d0ef1281df188b6c01991e6/protocol/contracts/templegold/TempleTeleporter.sol#L43

Summary

Currently, the teleport function can be called with any gas limit. This means if a user adds a small msg.value, the _lzSend function will be called, which in turn calls _payNative(_fee.nativeFee). There is a check if (msg.value != _nativeFee) revert NotEnoughNative(msg.value); that can be bypassed. This happens because the quote function is declared but not utilized properly to verify the required fee.

Impact

Users can potentially bypass the fee check by sending a very small msg.value, leading to insufficient fees being paid for the transaction. This could result in failed transactions or unexpected behavior, affecting the reliability and security of the teleport function.

Recommendation

To ensure the correct fee is paid, calculate the required fee using the quote function before calling _lzSend and compare it with msg.value. If msg.value is less than the required fee, revert the transaction. This will enforce the correct fee payment and prevent any bypass.

function teleport(

uint32 dstEid,

address to,

uint256 amount,

bytes calldata options

) external payable override returns (MessagingReceipt memory receipt) {

if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }

if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }

// Encodes the message before invoking _lzSend.

bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);

// Calculate the required fee using quote function

MessagingFee memory requiredFee = _quote(dstEid, _payload, options, false);

// Check if the msg.value provided is enough to cover the required native fee

if (msg.value < requiredFee.nativeFee) {

revert NotEnoughNative(msg.value);

}

// debit

temple.burnFrom(msg.sender, amount);

emit TempleTeleported(dstEid, msg.sender, to, amount);

// Proceed with sending the message

receipt = _lzSend(

dstEid, // Destination chain's endpoint ID.

_payload, // Encoded message payload being sent

options, // Message execution options (e.g., gas to use on destination).

MessagingFee(msg.value, 0), // Fee struct containing native gas and ZRO token.

payable(msg.sender) // The refund address in case the send call reverts

);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

11 months ago

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.