Omniscia Steer Protocol Audit

LiquidityManagerVault Manual Review Findings

LiquidityManagerVault Manual Review Findings

LMV-01M: Inexistent Restriction of Caller

Description:

The LiquidityManagerVault::_update function, contrary to other functions of the system, will not validate that the msg.sender is Coinbase Verified permitting unverified users to transact shares of the LiquidityManagerVault freely through proxy accounts that are verified.

Impact:

The LiquidityManagerVault shares can be freely transacted by unverified users.

Example:

src/LiquidityManagerVault.sol
971/// @notice Override _update function to add Coinbase verification for transfers
972/// @param from Address sending tokens
973/// @param to Address receiving tokens
974/// @param value Amount of tokens being transferred
975function _update(address from, address to, uint256 value) internal virtual override {
976 // Only check Coinbase verification for transfers to non-zero addresses (not burns)
977 if (to != address(0)) {
978 _onlyCoinbaseVerified(to);
979 }
980 if (from != address(0)) {
981 _onlyCoinbaseVerified(from);
982 }
983
984 // Call the parent _update function
985 super._update(from, to, value);
986}

Recommendation:

We advise the code to validate that the msg.sender is Coinbase verified, preventing the circumvention outlined.

Alleviation:

The code was updated to validate the caller in addition to the from and to addresses, alleviating this exhibit.