Othentic – Permanent revert on rewards submission

Permanent blockage in the rewards distribution process.

Vulnerability Details

In the AVSGovernance contract, when processing a payment request from the AttestationCenter contract, the function createOperatorDirectedAVSRewardsSubmission constructs the submission and prepares to interact with the RewardsCoordinator contract. This involves withdrawing rewards from the treasury and granting token approval.

While the withdrawal of rewards and the call to the RewardsCoordinator contract are conducted without the possibility of reverting, the approval process is not handled in the same way. Some tokens do not permit approval from a non-zero value to another non-zero value, leading to a potential revert.

If this occurs, the execution of createOperatorDirectedAVSRewardsSubmission will fail, resulting in successful cross-chain execution on the source chain (in AttestationCenter), but rewards will remain undelivered, and operators’ payment statuses will not be updated.

Vulnerable scenario

The situation unfolds as follows:

1. The AVS utilizes a token that restricts approvals from a non-zero to a non-zero value.
2. The AVS manager initiates the distribution of rewards.
3. The AVSGovernance contract invokes the function createOperatorDirectedAVSRewardsSubmission. The token is approved successfully, but the subsequent call to createOperatorDirectedAVSRewardsSubmission in the RewardsCoordinator contract fails (for instance, due to the flow being paused).
4. The AVSGovernance contract modifies the operator’s list to indicate that no rewards have been distributed.
5. The AttestationCenter contract on L2 updates the payment statuses of operators, leaving the claimable fees unaltered.
6. The AVS manager attempts to distribute the rewards again.
7. Upon retrying createOperatorDirectedAVSRewardsSubmission, the approval call now
   reverts.