Approve on ERC-677 token is not called in `GnosisDepositProcessorL1`

[c4-bot-9]

Lines of code

https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/GnosisDepositProcessorL1.sol#L68

Vulnerability details

Impact

In the current implementation of GnosisDepositProcessorL1 _sendMessage() calls bridge function relayTokensAndCall() that is supposed to transfer the tokens to the L2TargetDispenser. However, the functionality deviates from the spec as it misses the approval for the ERC-677 token.

Proof of Concept

According to the spec:

https://github.com/omni/omnibridge/blob/c814f686487c50462b132b9691fd77cc2de237d3/contracts/upgradeable_contracts/components/common/TokensRelayer.sol#L74

The user should first call Approve method of the ERC677 token.

However, the contract doesn't call this method and makes it impossible to transfer the tokens to L2.

Tools Used

Manual review.

Recommended Mitigation Steps

Add an approval on ERC-677 token.

Assessed type

Other

[rodiontr]

As stated in the Gnosis docs, when using relayTokensAndCall() bridging method, the user first should call approval on ERC-677 token but it's not called when distributing the staking incentives making it possible to revert

[0xA5DF]

There's an approve 2 lines before: IToken(olas).approve(l1TokenRelayer, transferAmount);