Othentic – Uncleared claims

Operators face the risk of losing rewards on the default L2 and also jeopardize
subsequent rewards on the non-default L2.

Vulnerability Details

The AVSGovernance contract on Layer 1 (L1) can interface with multiple AttestationCenter contracts located on various Layer 2 (L2) networks. For any cross-chain communication initiated from these L2s that requires confirmation, it is essential to send the confirmation back to the specific AttestationCenter that originated the communication.

In the current rewards distribution implementation, when an AttestationCenter on any L2 requests rewards distribution, it awaits confirmation from L1 to complete the process (which includes updating payment status and the fee to claim value).

However, the AVSGovernance contract on L1 incorrectly routes the confirmation to the AttestationCenter contract associated with a default L2, identified by the lzEid variable, regardless of the original request’s source.

Vulnerable scenario

The scenario unfolds as follows:

1. The AVS is deployed on Ethereum, with the AVSGovernance contract supporting Arbitrum and Optimism via their respective AttestationCenter contracts, with Arbitrum designated as the default.
2. Operators receive rewards on both L2s (feeToClaim updated on both L2s).
3. During a rewards distribution request coming from Optimism through EigenLayer, the AttestationCenter contract on Optimism sends a rewards distribution request to L1.
4. Upon processing, the AVSGovernance contract on L1 redistributes rewards but mistakenly sends confirmation to the AttestationCenter contract on Arbitrum.
5. Corresponding fees to claim on Arbitrum are deducted (if they exist), resulting in a loss of rewards for the operator on Arbitrum.
6. The payment status on Optimism remains marked as COMMITTED, preventing further rewards distribution from Optimism.