`FeeSetter` can set incredible high `satoshiPerByte` in `packages/contracts/contracts/illuminex/xengine/chains/btc/wallet/VaultBitcoinWallet.sol` to cause users unable to withdraw.

[hats-bug-reporter[bot]]

Github username: @erictee2802 Twitter username: 0xEricTee Submission hash (on-chain): 0x967e50292d9747a1c1ca7f31b95fa9301cd971df1f99799469463f4b651c6867 Severity: medium

Description: Description

In packages/contracts/contracts/illuminex/xengine/chains/btc/wallet/VaultBitcoinWallet.sol::setFee():

function setFee(uint64 _satoshiPerByte) public {
        require(msg.sender == feeSetter);
        emit FeeSet(_satoshiPerByte);

        satoshiPerByte = _satoshiPerByte;
    }

Noticed there is no lower/upper bound for satoshiPerByte value.

Attack Scenario

As a result, FeeSetter can set satoshiPerByte to a ridiculously large value to cause users unable to withdraw properly, resulting in denial of service state.

Attachments

NA

1. Proof of Concept (PoC) File

When large value of satoshiPerByte is set, the withdraw function will revert everytime due to underflow:

function withdraw(bytes memory to, uint64 amount, uint64 minReceiveAmount, bytes32 idSeed) public {
        uint64 amountAfterNetworkFee = amount - (BYTES_PER_OUTGOING_TRANSFER * satoshiPerByte); //@audit revert here
        require(amountAfterNetworkFee >= minWithdrawalLimit, "AFL");

        uint64 protocolFees = amountAfterNetworkFee * withdrawalFee / 1000;
        if (isExcludedFromFees[msg.sender]) {
            protocolFees = 0;
        }
//REDACTED

2. Revised Code File (Optional)

Consider restricting boundary for satoshiPerByte value.

[party-for-illuminati]

FeeSetter is trusted, and will be set to a Safe multisig for the first time, and migrated to fee-setter guard contract later