Summary

permanently failed message could be message queue

Vulnerability Details

Interaction with the ILayerZeroEndpoint using the send() and lzReceive() to send and receive cross chain messages via LayerZero. LayerZero endpoint uses a blocking pattern to ensure ordered delivery of message. That means the endpoint will store messages with unhandled error/exception and block the message queue until the stored message has been retried successfully.
There could be unexpected scenarios where there is a logical error with the failed message, which will always fail and cannot be retried successfully. Due to that it is important to have a mechanism to force eject such messages to unblock the message queue using ILayerZeroApplicationConfig.forceResumeReceive() (see https://layerzero.gitbook.io/docs/evm-guides/best-practice).

So the issue is that L2MessageReceiver do not implement the forceResumeReceive() interface. That means there is no mean to unblock the message queue when it is blocked by a failed message that fails permanently.

Impact

Without forceResumeReceive(), there is no mean to resume the cross chain messaging between L1 and L2, causing the protocol to be permanently frozen.

Tools Used

Manual Review

Recommendations

Implement forceResumeReceive() for L2MessageReciever according to https://github.com/LayerZero-Labs/solidity-examples/blob/main/contracts/lzApp/LzApp.sol#L132C5-L134C6