Omniscia Steer Protocol Audit

QuickSwapWhitelistedMultiLiquidityManager Manual Review Findings

QuickSwapWhitelistedMultiLiquidityManager Manual Review Findings

QSW-01M: Potentially Insecure Sanitization of Deposit

TypeSeverityLocation
Logical FaultQuickSwapWhitelistedMultiLiquidityManager.sol:L73-L79

Description:

The QuickSwapWhitelistedMultiLiquidityManager::deposit call will sanitize the to address rather than the msg.sender as being authorized to perform deposits contrary to the purpose of the whitelist.

Impact:

It is presently possible for any user to perform a deposit for the benefit of an authorized member in contrast to how the whitelist is meant to be applied.

Example:

contracts/vault-types/QuickSwapLiquidityManagers/QuickSwapWhitelistedMultiLiquidityManager.sol
60function deposit(
61    uint256 amount0Desired,
62    uint256 amount1Desired,
63    uint256 amount0Min,
64    uint256 amount1Min,
65    address to
66)
67    public
68    virtual
69    override
70    returns (uint256 shares, uint256 amount0Used, uint256 amount1Used)
71{
72    // Check that user is authorized to deposit
73    require(
74        IBareWhitelistRegistry(whitelistManager).permissions(
75            address(this),
76            to
77        ) == 1,
78        "W"
79    );
80

81    // Deposit
82    return
83        super.deposit(
84            amount0Desired,
85            amount1Desired,
86            amount0Min,
87            amount1Min,
88            to
89        );
90}

Recommendation:

We advise the code to ensure that the msg.sender has the relevant permission from the whitelistManager in addition to the to address, which should be considered optional as the actual user that performs the QuickSwapWhitelistedMultiLiquidityManager::deposit action is the msg.sender.

Alleviation (0c3f85c7c11805ac412fe291f5681bef26da7244):

The Steer Protocol team evaluated this exhibit and specified that the intention of the security check is to ensure the LP units minted are done so to a whitelisted address.

A msg.sender that is not whitelisted should be able to deposit on behalf of a whitelisted address and the LP units minted can then be freely transferred; the minting operation is what the Steer Protocol team is concerned with and wishes to protect.

As a result of these additional statements by the Steer Protocol team, we consider this exhibit nullified as it represents desirable behaviour.

Prev

QuickSwapSinglePositionLiquidityManager.sol (QSS-M)

Next

QuickSwapWhitelistedSingleLiquidityManager.sol (QSL-M)

On this page