Fee Bypass during VaultBitcoinWallet contract deployment

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0xa99bd68bb8f9994f1925459648a4e5caf208d243cd83ce7dacdbe72209d76551 Severity: medium

Description: Description\ The VaultBitcoinWallet contract does not set the satoshiPerByte fee during deployment, which can be leveraged by users to bypass fees before the setFee function is called. This vulnerability arises because the setFee function is not invoked in the constructor, leaving the satoshiPerByte fee uninitialized until explicitly set after deployment.

Attack Scenario\ A user could exploit this vulnerability by performing transactions that bypass the fee mechanism before the setFee function is called. This could result in financial losses of protocol

Attachments

1. Proof of Concept (PoC) File

   The constructor of the VaultBitcoinWallet contract does not include a mechanism to set the satoshiPerByte fee:

   
   constructor(
   address _prover,
   bytes memory _offchainSigner,
   BitcoinUtils.WorkingScriptSet memory _loadScripts,
   address _queue,
   TxSerializerFactory _serializerFactory,
   RefuelTxSerializerFactory _refuelSerializerFactory
   )
   BitcoinAbstractWallet(_prover)
   RotatingKeys(keccak256(abi.encodePacked(block.number)), type(VaultBitcoinWallet).name)//@audit-satoshiPerByte is not set
   {
   btcToken = new PeggedBTC();
   queue = OutgoingQueue(_queue);
   
   workingScriptSet = _loadScripts;
   
   IScript[] memory _scripts = new IScript[](3);
   _scripts[0] = workingScriptSet.vaultScript;
   _scripts[1] = workingScriptSet.p2pkhScript;
   _scripts[2] = workingScriptSet.p2shScript;
   
   _setSupportedScripts(_scripts);
   _updateOffchainSignerPubKey(_offchainSigner);
   
   feeSetter = msg.sender;
   
   serializerFactory = _serializerFactory;
   refuelSerializerFactory = _refuelSerializerFactory;
   }

2. **Revised Code File (Optional)**
<!-- If possible, please provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include the following information:
- Comment with a clear explanation of the proposed fix.
- The revised code with your suggested changes.
- Any additional comments or explanations that clarify how the fix addresses the vulnerability. -->
- To mitigate this issue, the constructor should be modified to include a parameter for the initial fee and set it during deployment. This ensures that the fee is set immediately upon contract creation.

constructor( address _prover, bytes memory _offchainSigner, BitcoinUtils.WorkingScriptSet memory _loadScripts, address _queue, TxSerializerFactory _serializerFactory, RefuelTxSerializerFactory _refuelSerializerFactory, uint256 _initialFee // Add this parameter ) BitcoinAbstractWallet(_prover) RotatingKeys(keccak256(abi.encodePacked(block.number)), type(VaultBitcoinWallet).name) { btcToken = new PeggedBTC(); queue = OutgoingQueue(_queue);

workingScriptSet = _loadScripts;

IScript[] memory _scripts = new IScript[](3);
_scripts[0] = workingScriptSet.vaultScript;
_scripts[1] = workingScriptSet.p2pkhScript;
_scripts[2] = workingScriptSet.p2shScript;

_setSupportedScripts(_scripts);
_updateOffchainSignerPubKey(_offchainSigner);

feeSetter = msg.sender;

serializerFactory = _serializerFactory;
refuelSerializerFactory = _refuelSerializerFactory;

// Set the initial fee
setFee(_initialFee);

}

[batmanBinary]

@party-for-illuminati ?