TempleGold

Summary

A critical vulnerability has been identified in the TempleGold contract's send function. The current implementation, while correctly enforcing the non-transferability of TGLD tokens, does not account for users of Account Abstraction (AA) wallets. This oversight can lead to permanent loss of tokens when AA wallet users attempt to transfer TGLD tokens across chains.

Vulnerability Details

The send function in TempleGold.sol contains a check that ensures cross-chain transfers are only possible to the sender's own address:

The vulnerability arises from the following:

1. The function assumes msg.sender on the source chain will be the same as the recipient address on the destination chain.

2. For AA wallets, the user's address can be different across different chains.

3. The check if (msg.sender != _to) prevents AA wallet users from specifying their correct address on the destination chain.

Impact

The impact of this vulnerability is severe:

1. AA wallet users cannot transfer their TGLD tokens across chains, effectively locking their tokens on the source chain.

2. If AA wallet users attempt to transfer tokens cross-chain, the tokens will be lost as they will be minted to an address they don't control on the destination chain.

3. This issue significantly limits the usability of the protocol for a growing segment of users who are adopting AA wallet solutions.

4. It may lead to a loss of trust in the protocol, especially among more technologically advanced users who are likely to use AA wallets.

Given the potential for permanent fund loss, this vulnerability should be classified as CRITICAL.

Tools Used

This vulnerability was identified through manual code review and analysis of the cross-chain token transfer mechanism, specifically focusing on its interaction with different wallet types. No specific automated tools were required to identify this issue.

Recommendations

To address this critical vulnerability while maintaining the non-transferability of TGLD, we recommend the following:

1. Implement an address linking mechanism for AA wallet users:

1. Modify the send function to check for linked addresses:

1. Implement a secure process for users to prove ownership of addresses on different chains, possibly using signature verification or other cryptographic proofs.

2. Provide clear documentation and warnings for AA wallet users about the need to link their addresses before attempting cross-chain transfers.

3. If the protocol decides not to implement these changes:

   • Clearly advertise in all relevant documentation and user interfaces that the use of AA wallets is not supported for cross-chain transfers of TGLD.

   • Implement strong warnings in the UI and transaction flow to prevent AA wallet users from attempting cross-chain transfers, as this will result in permanent loss of funds.

4. Conduct thorough audits and tests of any implemented address linking mechanism to ensure it doesn't introduce new vulnerabilities.

By implementing these recommendations, the protocol can maintain its design principle of non-transferability while providing a secure solution for AA wallet users. If these changes are not aligned with the protocol's goals, it is crucial to clearly communicate the limitations to users to prevent potential loss of funds.