Open howlbot-integration[bot] opened 4 months ago
Picodes changed the severity to QA (Quality Assurance)
This previously downgraded issue has been upgraded by Picodes
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/rollup/BOLDUpgradeAction.sol#L344-L359
Vulnerability details
Impact
Although it is stated that not more than 50 stakers are expected, this remains a projection. Therefore if there exists more than 50 stakers, these stakers would be stuck on the older rollup.
Their funds would also be permanently stuck on the old rollup contract.
Proof of Concept
Tools Used
Manual Review, Josephdara
Recommended Mitigation Steps
Implement a function to complete refunds, or transfer the ownership of the old rollup contract to a new address after upgrade to allow for manual forceRefund calls.
Assessed type
Other