Summary

The implementation of TempleTeleporter inherits from LayerZero's OApp which doesn't bring support for enforced options by default.

Vulnerability Details

Unlike OFT applications used in the TempleGold implementation, bare LayerZero's OApp do not include by default handling for enforced options. As stated in their documentation, enforced options are the way in which protocol owners can set the requirements for user input options set while bridging messages.

Once you determine ideal message _options, you will want to make sure users adhere to it. In the case of OApp, you mostly want to make sure the gas amount you have included in _options for the lzReceive call can be enforced for all callers of _lzSend, to prevent reverts.

The setEnforcedOptions function allows the contract owner to specify mandatory execution options, making sure that the application behaves as expected when users interact with it.

Execution options control different aspects of the messaging, in particular gas options used to cover gas and fees costs.

Impact

User options used to call teleport() and forward to _lzSend() cannot be validated and enforced by the owners of the contract. Failure to set proper gas options could lead to reverts in the destination chain, causing loss of funds.

Tools Used

None.

Recommendations

Implement support for enforced options as detailed in the LayerZero's documentation.