The _lzReceive
function has no auhorized access and it is an internal override function within the TempleTeleport contract. Despite being defined to handle protocol messages received with encoded payloads, it is not utilized internally within the contract or overridden by any other function. This raises concerns regarding its necessity and potential impact on the contract's functionality and security.
The function is internal and never used in derived and main contract and also there is no check to confirm if anyone can call
Low to Medium
Functional Impact: The function's lack of internal usage suggests it does not contribute to the contract's intended operations. This could indicate redundancy or an incomplete implementation.
Security Impact: Unused functions can potentially introduce confusion and increase attack surface if their intended behavior is unclear or if they could be misused due to oversight.
It has no checks any one can call give receipientAddress
can withdraw funds
The _lzReceive
function is marked as internal override
, indicating it overrides a function from a parent contract, presumably for handling protocol messages. However, without being invoked internally or overridden elsewhere, its presence suggests it might be a vestige of earlier design decisions or an oversight during development.
It has no authorized access check and its call by anyone used for draining users fund.
Manual, Foundry
Documentation: Clearly document the purpose of overridden functions, even if they are not actively used, to provide context for future developers.
Consider Removal: If determined unnecessary, consider removing _lzReceive
from the contract to reduce complexity and potential confusion.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.