The revertedBridgeOutRequest function won't revert in the case the underlying call to bridgeOut doesn't return the expected Holographable.bridgeOut.selector value. This probably happens because it is assuming that the call failed and didn't do anything, but this may not always be the case, since the call can have side effects.
There's a notice in a comment that reads "Do not call this function, it will always revert", but since this is an unprotected external function anyone can call it.
What is particularly concerning here is that the call will be executed from the bridge, effectively passing any onlyBridge check, and can target any holographable contract with an arbitrary payload, since these are just the arguments of this function.
Since this is an unprotected function, anyone can call this targeting any holographable contract using an arbitrary payload to the bridgeOut function.
For example, let's say we have a holographable contract that has this bridgeOut implementation:
function bridgeOut(
uint32 toChain,
address sender,
bytes calldata payload
) external onlyBridge returns (bytes4 selector, bytes memory data) {
// assume "modified" is a boolean storage variable
modified = true;
// make sure selector as something different than "Holographable.bridgeOut.selector"
selector = 0x12345678;
}
The function will modify state, and because the selector won't match the expected selector, revertedBridgeOutRequest won't revert and will simply return "HOLOGRAPH: bridge out failed".
The intention of this function isn't clear, but in any case it should always revert, even if the returned value doesn't match the expected selector value. However, also consider removing it since it represents a huge attack surface on the bridging process.