Summary:

The _lzReceive function has no auhorized access and it is an internal override function within the TempleTeleport contract. Despite being defined to handle protocol messages received with encoded payloads, it is not utilized internally within the contract or overridden by any other function. This raises concerns regarding its necessity and potential impact on the contract's functionality and security.

Vulnerability Details:

The function is internal and never used in derived and main contract and also there is no check to confirm if anyone can call

Level:

• Low to Medium

Impact:

• Functional Impact: The function's lack of internal usage suggests it does not contribute to the contract's intended operations. This could indicate redundancy or an incomplete implementation.

• Security Impact: Unused functions can potentially introduce confusion and increase attack surface if their intended behavior is unclear or if they could be misused due to oversight.

• It has no checks any one can call give receipientAddress can withdraw funds

Proof of Concept/Explanation:

• The _lzReceive function is marked as internal override, indicating it overrides a function from a parent contract, presumably for handling protocol messages. However, without being invoked internally or overridden elsewhere, its presence suggests it might be a vestige of earlier design decisions or an oversight during development.

• It has no authorized access check and its call by anyone used for draining users fund.

Tools Used:

Manual, Foundry

Recommendations:

Documentation: Clearly document the purpose of overridden functions, even if they are not actively used, to provide context for future developers.

• Consider Removal: If determined unnecessary, consider removing _lzReceive from the contract to reduce complexity and potential confusion.