Malicious actor can finish tx serializing before relayers

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x3ab17167f8ff71bf669daef779de918fbdbfc9fc01a30327f0bdf074c121cc22 Severity: medium

Description: Description\ An attacker can directly finish TX serialization before the relayers by directly calling the serializeTx() function before the relayers via enrichSigHash() or serializeOutgoingTransaction()

AbstractTxSerializer.sol - serializeOutgoingTransaction()

    function serializeTx(
        TxSerializingProgress storage _progress,
        BitcoinUtils.BitcoinTransaction storage _tx,
        uint256 _count
    ) external {
        require(_progress.state != TxSerializingState.Finished, "AF");

        if (_progress.state == TxSerializingState.Headers) {
            BitcoinUtils.serializeTransactionHeader(_progress.stream, _tx);
            _progress.state = TxSerializingState.Inputs;
        }

        // Serialize inputs
        BitcoinUtils.serializeTransactionInputs(
            _progress.stream,
            _tx,
            _progress.progress,
            _progress.progress + _count
        );

        _progress.progress += _count;
        if (_progress.progress == _tx.inputs.length) {
            BitcoinUtils.serializeTransactionOutputsAndTail(_progress.stream, _tx);
            _progress.state = TxSerializingState.Finished;
        }
    }

This will lead to the state being finished and serializeTx() will permanently revert with thos eparams. Note that the attacker can also front-run the relayer txs to make them revert.

Recommendation\ Consider to add appropriate access control to TxSerializerLib - serializeTx().

[kill-bugs]

I think this is invalid, library is not inherited, but used directly aka it can't be called directly, only the relayer can serialize either via serializeOutgoingTransaction() or enrichSigHash().