Anyone can set fees to any amount in VaultBitcoinWallet

[hats-bug-reporter[bot]]

Github username: @@giorgiodalla Twitter username: 0xAuditism Submission hash (on-chain): 0xe0b01ad37037a9daea6afa356ea1f8a92ec438a93a690033bc4fe8e6241006f9 Severity: medium

Description: Description\ Because Initial msg.sender = address(0) on Oasis chain, feeSetter is set to address(0). and thus any actions related to feeSetter can be overtaken by anyone.

Attack Scenario\

Since address(0) is msg.sender on Oasis chain anyone can set any fee for example, which is a big issue Attachments

1. Proof of Concept (PoC) File In constructor:

https://github.com/hats-finance/illuminex-0x0bb4aa1f58719707405c231fcdf0b405714799cf/blob/3ad7c2aedf991493aab45d3e0847b7e07f5c0d07/packages/contracts/contracts/illuminex/xengine/chains/btc/wallet/VaultBitcoinWallet.sol#L145

https://github.com/hats-finance/illuminex-0x0bb4aa1f58719707405c231fcdf0b405714799cf/blob/3ad7c2aedf991493aab45d3e0847b7e07f5c0d07/packages/contracts/contracts/illuminex/xengine/chains/btc/wallet/VaultBitcoinWallet.sol#L196-L201

    function setFee(uint64 _satoshiPerByte) public {
        require(msg.sender == feeSetter);
        emit FeeSet(_satoshiPerByte);

        satoshiPerByte = _satoshiPerByte;
    }

2. Revised Code File (Optional)

Consider using different authentification methods such as with EIP-712, or SIWE

[GiorgioDalla]

this is invalid sorry