TempleGold

Summary

TempleGoldAdmin is set as an admin of the TempleGold token and delegate of the OFTApp, meaning it can perform Endpoint configurations on behalf of the App, including unblocking the path in case there are stuck messages. But the problem is that it has limited functionality and in case of an emergency, there will be prolonged blockage of the Lz path until a new delegate has been given.

Vulnerability Details

LZ path can be blocked intentionally or not. In such situations, the delegator should manually process the failing payload, unblocking the path in order for the other messages also to be processed. - https://docs.layerzero.network/v2/developers/evm/oft/quickstart#setting-delegates
The problem is that the TempleGoldAdmin has only setDelegate function available, which on top of that can be executed only after governance vote, which is what increases the blockage time.
https://github.com/LayerZero-Labs/LayerZero-v2/blob/7aebbd7c79b2dc818f7bb054aed2405ca076b9d6/packages/layerzero-v2/evm/protocol/contracts/EndpointV2.sol#L356
https://github.com/LayerZero-Labs/LayerZero-v2/blob/7aebbd7c79b2dc818f7bb054aed2405ca076b9d6/packages/layerzero-v2/evm/protocol/contracts/EndpointV2.sol#L211-L217

Impact

Prolonged blocking of the layer zero path, in case there is a failing message.

Tools Used

Manual review

Recommendations

Consider adding function in TempleGoldAdmin that calls EndpointV2::clear and EndpointV2::skip at least.