Description:
Anyone can overwrite an already finished tx serialization to any arbitrary input by directly calling the respective BitcoinUtils functions, since these inner functions don't have access control or any way to measure the state of the serialized transaction.
Relayer starts tx serialization, soon TxSerializeLib.serializeTx() will be called
Attacker changes the serialized tx with directly calling the BitcoinUtils functions to change the finished serialized transaction for their own benefit (sends themselves tokens)
Relayer progresses with tx serialization, if they don't notice funds will be stolen by the attacker, if they notice the current tx is DoS-d
Recommendation
Consider to either make the BitcoinUtils functions internal instead of external and adjust contracts. Alternatively consider to add access control to the BitcoinUtils library.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x60db99f06cbd10a890debcca0ec3a5f6cbb039fd0fde42cec929540bb1e76292 Severity: medium
Description: Anyone can overwrite an already finished tx serialization to any arbitrary input by directly calling the respective
BitcoinUtils
functions, since these inner functions don't have access control or any way to measure the state of the serialized transaction.serializeTransactionHeader()
serializeTransactionInputs()
serializeTransactionOutputsAndTail()
BitcoinUtils.sol
-serializeTransactionOutputsAndTail()
TxSerializerLib.sol
-serializeTx()
Attack Scenario
TxSerializeLib.serializeTx()
will be calledBitcoinUtils
functions to change the finished serialized transaction for their own benefit (sends themselves tokens)Recommendation
Consider to either make the
BitcoinUtils
functionsinternal
instead ofexternal
and adjust contracts. Alternatively consider to add access control to theBitcoinUtils
library.