In WormholeDepositProcessorL1 and WormholeTargetDispenserL2, BRIDGE_PAYLOAD_LENGTH should be 52, not 64

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/WormholeDepositProcessorL1.sol#L13 https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/WormholeTargetDispenserL2.sol#L52 https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/WormholeDepositProcessorL1.sol#L59-L71 https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/staking/WormholeTargetDispenserL2.sol#L89-L96

Vulnerability details

Impact

_sendMessage within WormholeTargetDispenserL2 and WormholeDepositProcessorL1 will revert, preventing users from claiming staking incentives

Proof of Concept

Here is WormholeDepositProcessor#_sendMessage:

    function _sendMessage(
        address[] memory targets,
        uint256[] memory stakingIncentives,
        bytes memory bridgePayload,
        uint256 transferAmount
    ) internal override returns (uint256 sequence) {
        // Check for the bridge payload length
        if (bridgePayload.length != BRIDGE_PAYLOAD_LENGTH) {
            revert IncorrectDataLength(BRIDGE_PAYLOAD_LENGTH, bridgePayload.length);
        }

        // Decode required parameters
        (address refundAccount, uint256 gasLimitMessage) = abi.decode(bridgePayload, (address, uint256));
        ...
    }

bridgePayload contains: address refundAccount=20 bytes uint256 gasLimitMessage=32 bytes

total=52 bytes

But BRIDGE_PAYLOAD_LENGTH is set to 64 bytes. This will cause a revert when claiming staking incentives because of the check in _sendMessage function.

The same thing can be found in WormholeTargetDispenserL2#_sendMessage

Tools Used

Manual Review

Recommended Mitigation Steps

Within WormholeDepositProcessorL1 and WormholeTargetDispenserL2, set BRIDGE_PAYLOAD_LENGTH to 52

Assessed type

Error