TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Executions can fail on the destination chain due to missing checks on minimum gas passed through LayerZero

y0ng0p3

Lines Of Code

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/TempleTeleporter.sol#L43-L58

Summary

Executions can fail on the destination chain due to missing checks on minimum gas passed through LayerZero

Vulnerability Details

In LayerZero, a call to the destination chain requires a minimum gas amount and it will revert with an out-of-gas exception otherwise.
It falls under the responsibility of the user application (TempleGold) to ensure that appropriate limits are established. These limits guide relayers in specifying the correct gas amount on the source chain, preventing users from inputting insufficient values for gas.

The contract logic in TempleTeleporter contract assumes that the user will first get their estimated fees through the TempleTeleporter::quote function so that the nativeFee in the result can be passed via msg.value as the message fees, but this not enforced and is left on the user's responsibility.

A user can pass an arbitrary value as msg.value, thus sending less gas than required which can lead to out-of-gas exception.

Once the message is received in the destination channel, the message is considered (not in INFLIGHT status anymore) delivered and will run out of gas during the execution (now in PAYLOAD STORED status). Any future message will be BLOCKED since the previous payload message nonce has a stored payload.

Impact

Any uncaught errors/exceptions (including out-of-gas) will cause the message to transition into STORED status and block the delivery of any future message in the channel.

Tools Used

https://docs.layerzero.network/v2/developers/evm/tooling/layerzeroscan#transaction-statuses

Manual review.

Recommendations

Enforces that the msg.value passed to the TempleTeleporter::teleport function is at least equals to the nativeFee value in the result of the TempleTeleporter::quote function with the params corresponding to those set by the user.

Re-engineer the architecture to make theTempleTeleporter::quote function a mandatory step of the process.

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Fee validation issue in send

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.