TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: low
Invalid

Unused Internal Override Function `_lzReceive` and its unauthorized access in `TempleTeleport.sol` Contract

Summary:

The _lzReceive function has no auhorized access and it is an internal override function within the TempleTeleport contract. Despite being defined to handle protocol messages received with encoded payloads, it is not utilized internally within the contract or overridden by any other function. This raises concerns regarding its necessity and potential impact on the contract's functionality and security.

Vulnerability Details:

The function is internal and never used in derived and main contract and also there is no check to confirm if anyone can call

Level:

  • Low to Medium

Impact:

  • Functional Impact: The function's lack of internal usage suggests it does not contribute to the contract's intended operations. This could indicate redundancy or an incomplete implementation.

  • Security Impact: Unused functions can potentially introduce confusion and increase attack surface if their intended behavior is unclear or if they could be misused due to oversight.

  • It has no checks any one can call give receipientAddress can withdraw funds

Proof of Concept/Explanation:

  • The _lzReceive function is marked as internal override, indicating it overrides a function from a parent contract, presumably for handling protocol messages. However, without being invoked internally or overridden elsewhere, its presence suggests it might be a vestige of earlier design decisions or an oversight during development.

  • It has no authorized access check and its call by anyone used for draining users fund.

function _lzReceive(
Origin calldata /*_origin*/,
bytes32 /*_guid*/,
bytes calldata _payload,
address /*_executor,*/, // Executor address as specified by the OApp.
bytes calldata /*_extraData */ // Any extra data or options to trigger on receipt.
) internal override {
// Decode the payload to get the message
(address _recipient, uint256 _amount) = abi.decode(_payload, (address, uint256));
temple.mint(_recipient, _amount);
}

Tools Used:

Manual, Foundry

Recommendations:

Documentation: Clearly document the purpose of overridden functions, even if they are not actively used, to provide context for future developers.

  • Consider Removal: If determined unnecessary, consider removing _lzReceive from the contract to reduce complexity and potential confusion.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.