search

hats-finance / illuminex-0x0bb4aa1f58719707405c231fcdf0b405714799cf

0 stars 1 forks source link

Abuse of Refuel Mechanism in VaultBitcoinWallet #99

Open hats-bug-reporter[bot] opened 1 month ago

hats-bug-reporter[bot] commented 1 month ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xe80034888c6a36ff8a7ebd4b8bdcf8c115a31e4fcd2e0579745646bbb211e5ce Severity: medium

Description: Description\ The VaultBitcoinWallet contract includes a refuel mechanism designed to handle situations where transactions get stuck due to insufficient fees. However, this mechanism can be abused by malicious actors who intentionally create many transactions with very low fees, causing them to get stuck and subsequently triggering the refuel process. This can lead to resource exhaustion, increased costs, and potential DoS attacks.

Attack Scenario\

Malicious Transactions: An attacker sends multiple transactions with very low fees, causing them to get stuck in the Bitcoin network. These transactions are processed by the VaultBitcoinWallet contract, but due to the low fees, they remain stuck.

Triggering Refuel: Then the startRefuelTxSerializing triggers and creates refuel candidate transactions with additional BTC to cover the increased fees.

Resource Exhaustion: The attacker repeats this process, creating a large number of low-fee transactions and triggering multiple refuel requests. This leads to resource exhaustion, as the system becomes overwhelmed with the number of transactions and refuel requests.

Denial of Service: Legitimate transactions are delayed or prevented from being processed due to the excessive load caused by the malicious transactions and refuel requests. The system incurs increased costs due to the additional BTC required for refuel transactions.

Attachments

  1. Proof of Concept (PoC) File

    The vulnerability lies in the handling of refuel transactions within the VaultBitcoinWallet contract. Specifically, the startRefuelTxSerializing and finaliseRefuelTxSerializing functions do not have sufficient checks to prevent abuse of the refuel mechanism.

// SPDX-License-Identifier: BUSL-1.1
pragma solidity ^0.8.0;

contract VaultBitcoinWallet is BitcoinAbstractWallet, RotatingKeys, Ownable, ITxInputsStorage, ITxSecretsStorage, AllowedRelayers {
    // ... other code ...

    address public constant REFUEL_VAULT_ADDRESS = address(1);

    // ... other code ...

    function startRefuelTxSerializing(bytes32 outgoingTxHash) public onlyRelayer {
        uint256 _index = _outboundTxHashToId[outgoingTxHash];
        require(_index != 0, "Invalid outgoing transaction hash");

        OutboundTransaction storage outboundTx = outboundTransactions[_index];
        require(outboundTx.txHash != bytes32(0) && outboundTx.finalisedCandidateHash == bytes32(0), "UOT");

        RefuelTxSerializer _sr = refuelSerializerFactory.createRefuelSerializer(_serializers[_index]);
        _sr.toggleRelayer(msg.sender);

        _refuelSerializers[_index].push(_sr);
        emit RefuelTxStarted(_index, _refuelSerializers[_index].length - 1);
    }

    function finaliseRefuelTxSerializing(bytes32 outgoingTxHash, uint256 refuelTxId) public onlyRelayer {
        uint256 _index = _outboundTxHashToId[outgoingTxHash];
        require(_index != 0, "Invalid outgoing transaction hash");

        OutboundTransaction storage outboundTx = outboundTransactions[_index];
        require(outboundTx.txHash != bytes32(0) && outboundTx.finalisedCandidateHash == bytes32(0), "UOT");

        RefuelTxSerializer _sr = _refuelSerializers[_index][refuelTxId];

        (bytes memory txData, bytes32 txHash) = _sr.getRaw();
        emit RefuelTxBroadcast(txHash, outgoingTxHash, txData);

        require(!outboundTx.refuelCandidatesHashes[txHash], "AA");

        outboundTx.refuelCandidatesHashes[txHash] = true;
        _outboundTxHashToId[txHash] = _index;
    }

    // ... other code ...
}
  1. Revised Code File (Optional)
    • By implementing minimum fee requirements, dynamic fee adjustment and refuel limits, you can mitigate the risk of users intentionally creating many low-fee transactions and abusing the refuel mechanism. These strategies help ensure that the system remains robust and can handle legitimate transactions effectively.
batmanBinary commented 1 month ago

@party-for-illuminati , Could you please provide some feedback?

party-for-illuminati commented 1 month ago

@party-for-illuminati , Could you please provide some feedback?

Users can't set custom fees