VaultBitcoinWallet.sol contract passed the RefuelTxSerializerFactory and TxSerializerFactory address as an argument in its constructor
From these factories, serializers are created by calling startRefuelTxSerializing() and `
function startRefuelTxSerializing(bytes32 outgoingTxHash) public onlyRelayer {
. . . some code . . .
@> RefuelTxSerializer _sr = refuelSerializerFactory.createRefuelSerializer(_serializers[_index]);
. . . some code . . .
}
startOutgoingTxSerializing()
function startOutgoingTxSerializing() public onlyRelayer {
. . . some code . . .
@> TxSerializer _sr = serializerFactory.createSerializer(
AbstractTxSerializer.FeeConfig({
outgoingTransferCost: BYTES_PER_OUTGOING_TRANSFER * satoshiPerByte,
incomingTransferCost: BYTES_PER_INCOMING_TRANSFER * satoshiPerByte
}),
_transfers
);
. . . some code . . .
}
Both refuelSerializerFactory.createRefuelSerializer() and serializerFactory.createSerializer() can only be accessed by allowedCreator which is nothing but VaultBitcoinWallet contract.
function createRefuelSerializer(TxSerializer parent) public returns (RefuelTxSerializer _serializer) {
require(msg.sender == allowedCreator, "NAC");
and,
function createSerializer(
TxSerializer.FeeConfig memory _fees,
OutgoingQueue.OutgoingTransfer[] memory _transfers
) public returns (TxSerializer _serializer) {
require(msg.sender == allowedCreator, "NAC");
Both, RefuelTxSerializerFactory.sol and TxSerializerFactory.sol inherits AbstractTxSerializerFactory.sol as base contract where init() function is implemented.
init() function is not called in both RefuelTxSerializerFactory.sol and TxSerializerFactory.sol contracts and even this is not initialized in deployment script but init() can only be called by initializer.
Since, this function is not called anywhere in contract nor it is atomically called in contracts so both createRefuelSerializer() and createSerializer() will always revert and startRefuelTxSerializing() and startOutgoingTxSerializing() will also revert. Therefore, this would break the one of the core contracts functionalities. Since Refuel transaction serializing and outgoing transaction serializing can not acheived.
Recommendation to fix\
Initilize the factory contracts init() function atomically
OR.
Consider, deploying the factory contracts via VaultBitcoinWallet.sol constructor and call init() function to initialize factories.
For example understanding, consider below changes:
Github username: -- Twitter username: -- Submission hash (on-chain): 0x69d8ca425c49ad00acbfefacaa0ccfbaa7d5fd358b0d591de717f3e0983dbf6b Severity: high
Description: Description\
VaultBitcoinWallet.sol
contract passed theRefuelTxSerializerFactory
andTxSerializerFactory
address as an argument in its constructorFrom these factories, serializers are created by calling
startRefuelTxSerializing()
and `startOutgoingTxSerializing()
Both
refuelSerializerFactory.createRefuelSerializer()
andserializerFactory.createSerializer()
can only be accessed byallowedCreator
which is nothing butVaultBitcoinWallet
contract.and,
Both,
RefuelTxSerializerFactory.sol
andTxSerializerFactory.sol
inheritsAbstractTxSerializerFactory.sol
as base contract whereinit()
function is implemented.init()
function is not called in bothRefuelTxSerializerFactory.sol
andTxSerializerFactory.sol
contracts and even this is not initialized indeployment script
but init() can only be called byinitializer
.Since, this function is not called anywhere in contract nor it is atomically called in contracts so both
createRefuelSerializer()
andcreateSerializer()
will always revert andstartRefuelTxSerializing()
andstartOutgoingTxSerializing()
will also revert. Therefore, this would break the one of the core contracts functionalities. Since Refuel transaction serializing and outgoing transaction serializing can not acheived.Recommendation to fix\ Initilize the factory contracts
init()
function atomicallyOR.
Consider, deploying the factory contracts via
VaultBitcoinWallet.sol
constructor and callinit()
function to initialize factories.For example understanding, consider below changes: