Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fee Bypass during VaultBitcoinWallet contract deployment #94

Open
hats-bug-reporter bot opened this issue Jul 16, 2024 · 1 comment
Open

Fee Bypass during VaultBitcoinWallet contract deployment #94

hats-bug-reporter bot opened this issue Jul 16, 2024 · 1 comment
Labels
Invalid - lead auditor invalid This doesn't seem right

Comments

@hats-bug-reporter
Copy link

Github username: --
Twitter username: --
Submission hash (on-chain): 0xa99bd68bb8f9994f1925459648a4e5caf208d243cd83ce7dacdbe72209d76551
Severity: medium

Description:
Description
The VaultBitcoinWallet contract does not set the satoshiPerByte fee during deployment, which can be leveraged by users to bypass fees before the setFee function is called. This vulnerability arises because the setFee function is not invoked in the constructor, leaving the satoshiPerByte fee uninitialized until explicitly set after deployment.

Attack Scenario
A user could exploit this vulnerability by performing transactions that bypass the fee mechanism before the setFee function is called. This could result in financial losses of protocol

Attachments

  1. Proof of Concept (PoC) File

The constructor of the VaultBitcoinWallet contract does not include a mechanism to set the satoshiPerByte fee:

constructor(
    address _prover,
    bytes memory _offchainSigner,
    BitcoinUtils.WorkingScriptSet memory _loadScripts,
    address _queue,
    TxSerializerFactory _serializerFactory,
    RefuelTxSerializerFactory _refuelSerializerFactory
)
BitcoinAbstractWallet(_prover)
RotatingKeys(keccak256(abi.encodePacked(block.number)), type(VaultBitcoinWallet).name)//@audit-satoshiPerByte is not set
{
    btcToken = new PeggedBTC();
    queue = OutgoingQueue(_queue);

    workingScriptSet = _loadScripts;

    IScript[] memory _scripts = new IScript[](3);
    _scripts[0] = workingScriptSet.vaultScript;
    _scripts[1] = workingScriptSet.p2pkhScript;
    _scripts[2] = workingScriptSet.p2shScript;

    _setSupportedScripts(_scripts);
    _updateOffchainSignerPubKey(_offchainSigner);

    feeSetter = msg.sender;

    serializerFactory = _serializerFactory;
    refuelSerializerFactory = _refuelSerializerFactory;
}
  1. Revised Code File (Optional)
  • To mitigate this issue, the constructor should be modified to include a parameter for the initial fee and set it during deployment. This ensures that the fee is set immediately upon contract creation.
constructor(
    address _prover,
    bytes memory _offchainSigner,
    BitcoinUtils.WorkingScriptSet memory _loadScripts,
    address _queue,
    TxSerializerFactory _serializerFactory,
    RefuelTxSerializerFactory _refuelSerializerFactory,
    uint256 _initialFee // Add this parameter
)
BitcoinAbstractWallet(_prover)
RotatingKeys(keccak256(abi.encodePacked(block.number)), type(VaultBitcoinWallet).name)
{
    btcToken = new PeggedBTC();
    queue = OutgoingQueue(_queue);

    workingScriptSet = _loadScripts;

    IScript[] memory _scripts = new IScript[](3);
    _scripts[0] = workingScriptSet.vaultScript;
    _scripts[1] = workingScriptSet.p2pkhScript;
    _scripts[2] = workingScriptSet.p2shScript;

    _setSupportedScripts(_scripts);
    _updateOffchainSignerPubKey(_offchainSigner);

    feeSetter = msg.sender;

    serializerFactory = _serializerFactory;
    refuelSerializerFactory = _refuelSerializerFactory;

    // Set the initial fee
    setFee(_initialFee);
}
@hats-bug-reporter hats-bug-reporter bot added the bug Something isn't working label Jul 16, 2024
@party-for-illuminati party-for-illuminati added invalid This doesn't seem right and removed bug Something isn't working labels Jul 16, 2024
@batmanBinary
Copy link

@party-for-illuminati ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Invalid - lead auditor invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rotcivegaf @party-for-illuminati @batmanBinary