Summary

According to the documentation, the contract is intended to be deployed on the Arbitrum network using version 0.8.23.

The Solidity files use pragma solidity 0.8.23;, which, when compiled, utilizes the opcode PUSH0. This opcode is not supported on the Arbitrum network.

https://docs.arbitrum.io/for-devs/concepts/differences-between-arbitrum-ethereum/solidity-support

Vulnerability Details

SOLIDITY 0.8.23

The following POC demonstrates the deployment issue using 0.8.23.

Use the Arbitrum testnet by claiming free Arbitrum Sepolia ETH on Alchemy and use their RPC for testing this POC. We will also use a fork to avoid spending testnet ETH.

Setup a fork:

As observed, the deployment fails. To confirm it's related to Arbitrum, let's test on the Ethereum Sepolia network.

Deploy on ETH Sepolia testnet

Setup a fork

Impact

The impact is high for the following reasons:

Deployment Failure: This issue directly prevents the deployment of the contract on the Arbitrum network using Solidity 0.8.23, which is a significant obstacle for the project planning to deploy on Arbitrum.

Requirement of Version Downgrade: The need to downgrade the Solidity version to avoid this issue necessitates additional work, including re-auditing the contract. This adds time, cost, and complexity to the development process.

Potential for Unnoticed Deployment Issues: Developers might not immediately recognize this incompatibility, leading to wasted resources and potentially delayed project timelines.

Tools Used

Manual review and official documentation

https://docs.arbitrum.io/for-devs/concepts/differences-between-arbitrum-ethereum/solidity-support

Recommendations

Downgrade the contract's pragma version and test the implementation to ensure it works after the downgrade.

Always test your contract on a testnet before releasing it to ensure full functionality as expected.