TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Incorrect payload encoding from the original leads to incorrect price estimation and griefing.

0xsandy

Summary

Incorrect payload encoding from the original leads to incorrect price estimation and griefing.

Vulnerability Details

In the TempleTeleporter.sol contract, we can use teleport() function to teleport temple tokens cross chain. It uses _lzSend() function for that.

function teleport(

uint32 dstEid,

address to,

uint256 amount,

bytes calldata options

) external payable override returns(MessagingReceipt memory receipt) {

if (amount == 0) { revert CommonEventsAndErrors.ExpectedNonZero(); }

if (to == address(0)) { revert CommonEventsAndErrors.InvalidAddress(); }

// Encodes the message before invoking _lzSend.

bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);

// debit

temple.burnFrom(msg.sender, amount);

emit TempleTeleported(dstEid, msg.sender, to, amount);

receipt = _lzSend(dstEid, _payload, options, MessagingFee(msg.value, 0), payable(msg.sender));

}

Here, we are paying messagingFee in msg.value. Thus, fee need to be sent with this function. For the accurate estimation of fees, the _quote() function of OAppSender.sol is used.

In TempleTeleporter.sol, one of the quote() function is implemented as:

function quote(

uint32 _dstEid,

address _to,

uint256 _amount,

bytes memory _options

) external view returns (MessagingFee memory fee) {

return _quote(_dstEid, abi.encodePacked(_to, _amount), _options, false);

}

Notice that in the teleport() function, payload is calculated as:

bytes memory _payload = abi.encodePacked(to.addressToBytes32(), amount);

But in the quote() function, payload is calculated as:

abi.encodePacked(_to, _amount)

Thus the payload value which is the message that is used for quoting fee will be different from the original message which is sent. This will cause inaccurate calculation of fee.

Impact

Inaccurate calculation of fee amount will lead to _lzSend() function reverting due to insufficient fee amount sent and grief the user everytime. The likelihood is very high and impact is medium. Thus, the high severity.

Tools Used

Manual Analysis

Relevant Links

Recommendations

Modify the quote() function to encode payload correctly:

function quote(

uint32 _dstEid,

address _to,

uint256 _amount,

bytes memory _options

) external view returns (MessagingFee memory fee) {

return _quote(_dstEid, abi.encodePacked(_to.addressToBytes32(), _amount), _options, false);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect payload bytes in `quote()` they use `abi.encodePacked(_to, _amount)` instead of `abi.encodePacked(_to.addressToBytes32(), _amount)`

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.