You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
function toggleRelayersWhitelistEnabled() public onlyOwner {
relayersWhitelistEnabled =!relayersWhitelistEnabled;
}
function toggleRelayer(address_relayer) public onlyOwner {
_toggleRelayer(_relayer);
}
There is modifier implemented to check whether the caller is relayer or not.
Please not the above check will work only if relayersWhitelistEnabled is enabled and then it check for relayer in the mapping.
when we see the function toggleRelayersWhitelistEnabled , this toggle can be update anytime by the owner. so , if it is set as false, the onlyRelayer will allow anyone act as relayer.
This can be problamatic in may cases where some of the criticial functions are depending on the relayer modifier.
For example, lets see the ackTransaction function in BitCoinProver contract.
At the end of the function, it makes the callback function with relayer provided callback address. malicioud relayer could misuse this callback function with its own callback structure.
Github username: --
Twitter username: --
Submission hash (on-chain): 0x07a8c324cc7925fee2d1a4588ecf79c8dbc6468b57d4d9fa23a77a37250f6ccd
Severity: medium
Description:
Description
In the current implementation, owner has the power to set or update the relayer. This can be see in the abstract contract
AllowedRelayers
.AllowedRelayers.sol#L27-L33
There is modifier implemented to check whether the caller is relayer or not.
onlyRelayer
Please not the above check will work only if
relayersWhitelistEnabled
is enabled and then it check for relayer in the mapping.when we see the function
toggleRelayersWhitelistEnabled
, this toggle can be update anytime by the owner. so , if it is set as false, theonlyRelayer
will allow anyone act as relayer.This can be problamatic in may cases where some of the criticial functions are depending on the relayer modifier.
For example, lets see the
ackTransaction
function in BitCoinProver contract.Case 1:
BitcoinProver.sol#L263-L277
At the end of the function, it makes the callback function with relayer provided callback address. malicioud relayer could misuse this callback function with its own callback structure.
case 2:
VaultBitcoinWallet.sol#L328-L344
It can finalise any data without checking if the valid data or not inside the _serializers mapping.
Attack Scenario
Malicioud relayer can disrupt the deposit and withdrawal process completly.
Attachments
it would be better to remove the
relayersWhitelistEnabled
in theonlyRelayer
modifier.The text was updated successfully, but these errors were encountered: