Description:Description\
VaultBitcoinWallet.sol contract has startRefuelTxSerializing() function. This function deploys RefuelTxSerializer contract since VaultBitcoinWallet contract as msg.sender will act as an allowedCreator and its implemented as:
1) As it can be seen, RefuelTxSerializer contract's ownership is transferred to msg.sender i.e VaultBitcoinWallet.sol contract.
2) RefuelTxSerializer contract inherits AbstractTxSerializer which further which sets msg.sender i.e VaultBitcoinWallet.sol contract as relayer.
_toggleRelayer(msg.sender);
function _toggleRelayer(address _relayer) internal {
relayers[_relayer] = !relayers[_relayer];
}
3) RefuelTxSerializer.sol as give in inheritance route, further inherits AllowedRelayers.sol contract which has below onlyOwner functions.
function toggleRelayersWhitelistEnabled() public onlyOwner {
relayersWhitelistEnabled = !relayersWhitelistEnabled;
}
function toggleRelayer(address _relayer) public onlyOwner {
_toggleRelayer(_relayer);
}
Both of these functions can only be called the owner. Now as mentioned in point 1, VaultBitcoinWallet.sol is the owner of RefuelTxSerializer contract instance so it should be able to call the above onlyOwner function. so VaultBitcoinWallet.sol has called toggleRelayer() function to set the msg.sender of VaultBitcoinWallet.createRefuelSerializer() function which can be seen at L-286 in VaultBitcoinWallet.sol:
_sr.toggleRelayer(msg.sender);
Now, THE ISSUE is that, VaultBitcoinWallet.sol can not directly call inherited toggleRelayersWhitelistEnabled() function as VaultBitcoinWallet is a contract and NOT an EOA to call any function directly. There would need some pointer to call toggleRelayersWhitelistEnabled() function similar how toggleRelayer() function is called in VaultBitcoinWallet contract.
With this issue, it would not be possible to call toggleRelayersWhitelistEnabled() to enable or disable the relayersWhitelist which would decide the onlyRelayer use across contracts. This would break one of functionality where implemented toggleRelayersWhitelistEnabled() function can not be access by VaultBitcoinWallet.sol
Recommendation to fix\
To mitigate this issue, consider implementing function which can call toggleRelayersWhitelistEnabled() from RefuelTxSerializer .
Github username: -- Twitter username: -- Submission hash (on-chain): 0x736df5661c79f6f5e6f46d0478e4371d1a07eaf8d93b49cf0869e8e75767e679 Severity: medium
Description: Description\
VaultBitcoinWallet.sol
contract hasstartRefuelTxSerializing()
function. This function deploysRefuelTxSerializer
contract sinceVaultBitcoinWallet
contract asmsg.sender
will act as anallowedCreator
and its implemented as:createRefuelSerializer()
is implemented inrefuelSerializerFactory.sol
as:TWO things to note here:-
1) As it can be seen,
RefuelTxSerializer
contract's ownership is transferred tomsg.sender
i.eVaultBitcoinWallet.sol
contract.2)
RefuelTxSerializer
contract inheritsAbstractTxSerializer
which further which setsmsg.sender
i.eVaultBitcoinWallet.sol
contract as relayer.3)
RefuelTxSerializer.sol
as give in inheritance route, further inheritsAllowedRelayers.sol
contract which has belowonlyOwner
functions.Both of these functions can only be called the owner. Now as mentioned in point 1,
VaultBitcoinWallet.sol
is the owner ofRefuelTxSerializer
contract instance so it should be able to call the aboveonlyOwner
function. soVaultBitcoinWallet.sol
has calledtoggleRelayer()
function to set themsg.sender
ofVaultBitcoinWallet.createRefuelSerializer()
function which can be seen at L-286 inVaultBitcoinWallet.sol
:Now, THE ISSUE is that,
VaultBitcoinWallet.sol
can not directly call inheritedtoggleRelayersWhitelistEnabled()
function asVaultBitcoinWallet
is a contract and NOT an EOA to call any function directly. There would need some pointer to calltoggleRelayersWhitelistEnabled()
function similar howtoggleRelayer()
function is called inVaultBitcoinWallet
contract.With this issue, it would not be possible to call
toggleRelayersWhitelistEnabled()
to enable or disable therelayersWhitelist
which would decide theonlyRelayer
use across contracts. This would break one of functionality where implementedtoggleRelayersWhitelistEnabled()
function can not be access byVaultBitcoinWallet.sol
Recommendation to fix\ To mitigate this issue, consider implementing function which can call
toggleRelayersWhitelistEnabled()
fromRefuelTxSerializer
.For example understanding: