Summary

PUSH0 opcode is not supported on Arbitrum chain.

Vulnerability Details

All of the contracts in scope have the version pragma fixed to be compiled using Solidity 0.8.25, which includes the PUSH0 opcode in the compiled bytecode.

Both in the docs and in the Readme, the project has clearly stated they are planning to deploy the contracts on Arbitrum.

However, on Arbitrum the PUSH0 opcode is not supported yet. Since the project is using a solidity version higher than 0.8.20 and shanghai as the evm version (see the foundry.toml file), the PUSH0 opcode will be introduced in the bytecode.

Impact

The bytecode will not be compatible with the Arbitrum chain.
Deploying the protocol on Arbitrum with the current Solidity version (0.8.25) and evm version (shanghai) may result in unexpected behavior or failure due to the unsupported PUSH0 opcode on the chain.

Tools Used

Manual review.

Recommendations

Set evm version configuration parameter with Foundry. You can make the following change to the foundry.toml file: