#38460 [BC-Low] The coordinator can set a higher BTC tx fee than the current network to make users to pay more fees to the BTC miner
Was this helpful?
Was this helpful?
Submitted on Jan 3rd 2025 at 22:44:27 UTC by @f4lc0n for
Report ID: #38460
Report Type: Blockchain/DLT
Report severity: Low
Target: https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_0.9/signer
Impacts:
Direct loss of funds
When a signer acts as a coordinator, he will initiate BTC transactions to transfer the deposited BTC to the signer's multi-wallet.
The problem now is that signers do not check the fee_rate
of the BTC transaction set by the coordinator. Therefore, a malicious signer can set a higher fee_rate
to make users pay more fees.
The signer/src/bitcoin/validation.rs::construct_package_sighashes
code is as follows.
It directly uses the fee_rate
passed by the coordinator without checking it. Then the coordinator can send a fee_rate
higher than the current main network to make users to consume more fees.
Check the fee_rate
provided by the coordinator to make sure it is not much higher than the current mainnet.
Users usually set a transaction fee higher than the current mainnet to ensure that their deposits are executed. The remaining transaction fees will normally be returned to the user in the form of sBTC. Attackers can use this bug to make users lose this part of the redundant transaction fees.
However, the user's loss is limited, so I think the bug is Medium.
None
Base on: https://github.com/stacks-network/sbtc/releases/tag/0.0.9-rc4
Patch signer/src/config/mod.rs
, add attacker flag config
Patch signer/src/main.rs
, load attacker flag
Patch docker/docker-compose.yml
, add attacker flag
Patch signer/src/transaction_coordinator.rs
, add attack action. It will set 10x fee_rate
.
Run docker
Patch signer/Cargo.toml
, add poc9
bin
Waiting for the sBTC contract to be deployed. Then run the poc9
tool. It will send 40 BTC to the signers BTC address and trigger deposits every 10 seconds.
Wait until the trigger the coordinator is sbtc-signer-3.
Add to signer/src/bin/poc9.rs
In , you will find that the transaction initiated by sbtc-signer-3 consumes more transaction fees (x10) than other transactions.