Summary:

The lzReceive function in the L2MessageReceiver contract lacks a check for duplicate payloads, allowing for potential replay attacks. This vulnerability could lead to unintended consequences, incorrect state changes, and resource exhaustion.

Vulnerability Details:

Without a check for duplicate payloads, an attacker could replay a previously valid payload with the same nonce, resulting in undesired execution of the same transaction multiple times.

Duplicate payloads might trigger operations that are not designed to handle multiple executions, potentially leading to unexpected behaviors or unintended token minting.

Impact:

The lack of a check for duplicate payloads poses a security and operational risk to the L2MessageReceiver contract, potentially leading to replay attacks, incorrect state changes, and unwanted operations.

Recommendations:

Implement a nonce-based check inside the lzReceive function to prevent replay attacks. e.g you can add the following code snippet: