Summary

The sendMintMessage function in the L1Sender utilizes a direct call to lzEndpoint.send for cross-chain communication. This approach might introduce vulnerabilities and potential security risks. The recommended practice is to use the provided _lzSend function instead.

Vulnerability Details

The direct use of lzEndpoint.send without utilizing the recommended _lzSend function can expose the contract to unforeseen issues and is not recommended to use it directly. ( https://layerzero.gitbook.io/docs/troubleshooting/layerzero-integration-checklist )

Impact

Using direct calls to lzEndpoint.send includes potential vulnerabilities related to cross-chain communication. Along with this it doesn't check all the validation check which are present in _lzSend e.g _checkPayloadSize is missing. It may compromise the security and integrity of the contract, especially in scenarios where additional security checks or measures are implemented within the recommended _lzSend function.

Recommendations

It is strongly advised to replace the direct call to lzEndpoint.send with the recommended _lzSend function in the sendMintMessage method. This adjustment will align with best security practices and help mitigate potential risks associated with cross-chain communication.