search

hats-finance / illuminex-0x0bb4aa1f58719707405c231fcdf0b405714799cf

0 stars 1 forks source link

feeSetter will be address(0) in VaultBitcoinWallet #33

Open hats-bug-reporter[bot] opened 3 months ago

hats-bug-reporter[bot] commented 3 months ago

Github username: @@giorgiodalla Twitter username: 0xAuditism Submission hash (on-chain): 0xc54847dda609ba6d6979d6e5d95f7725b16924b2f73b58a8281ba6b307975690 Severity: medium

Description: Description\

Since on Oasis chain Initial msg.sender = address(0) when VaultBitcoinWallet is deployed msg.sender will actually be address(0) since it is not a contract. Which meansfeeSetter = address(0)

Attack Scenario\

feeSetter will be address 0 and won't be able to benefit from his priviledged position.

Attachments We can see in the constructor :

constructor {
...
        _updateOffchainSignerPubKey(_offchainSigner);

 @>    feeSetter = msg.sender;

        serializerFactory = _serializerFactory;
        refuelSerializerFactory = _refuelSerializerFactory;
  1. Revised Code File (Optional)

Consider manually inputing the address of the desired feeSetter:

     feeSetter = _feeSetter;
GiorgioDalla commented 3 months ago

consider this invalid