Lines of code

https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/ArbitrumDepositProcessorL1.sol#L72 https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/ArbitrumDepositProcessorL1.sol#L126

Vulnerability details

Impact

ArbitrumDepositProcessor#_sendMessage which is called when Dispenser#claimStakingIncentives will always revert if the chainId is arbitrum's chainId

Proof of Concept

ArbitrumDepositProcessorL1#_sendMessage has this check:

    function _sendMessage(
        address[] memory targets,
        uint256[] memory stakingIncentives,
        bytes memory bridgePayload,
        uint256 transferAmount
    ) internal override returns (uint256 sequence) {
        if (bridgePayload.length != BRIDGE_PAYLOAD_LENGTH) {
            revert IncorrectDataLength(
                BRIDGE_PAYLOAD_LENGTH,
                bridgePayload.length
            );
        }

        (
            address refundAccount,
            uint256 gasPriceBid,
            uint256 maxSubmissionCostToken,
            uint256 gasLimitMessage,
            uint256 maxSubmissionCostMessage
        ) = abi.decode(
                bridgePayload,
                (address, uint256, uint256, uint256, uint256)
            );
    }

bridgePayload is meant to contain the following: address refundAccount=20 bytes uint256 gasPriceBid=32 bytes uint256 maxSubmissionCostToken=32 bytes uint256 gasLimitMessage=32 bytes uint256 maxSubmissionCostMessage=32 bytes

total=32+32+32+32+20=148 bytes

But the constant BRIDGE_PAYLOAD_LENGTH is set to 160 bytes. Therefore, the check will always revert, and claimStakingIncentives won't be possible.

Tools Used

Manual Review

Recommended Mitigation Steps

In ArbitrumDepositProcessorL1, change the constant BRIDGE_PAYLOAD_LENGTH to 148

Assessed type

Error

code-423n4 / 2024-05-olas-validation

In ArbitrumDepositProcessorL1, BRIDGE_PAYLOAD_LENGTH should be 148, not 160 #265