Omniscia Steer Protocol Audit
LiquidityManagerVault Manual Review Findings
LiquidityManagerVault Manual Review Findings
LMV-01M: Inexistent Restriction of Caller
| Type | Severity | Location |
|---|---|---|
| Logical Fault | ![]() | LiquidityManagerVault.sol:L975-L986 |
Description:
The LiquidityManagerVault::_update function, contrary to other functions of the system, will not validate that the msg.sender is Coinbase Verified permitting unverified users to transact shares of the LiquidityManagerVault freely through proxy accounts that are verified.
Impact:
The LiquidityManagerVault shares can be freely transacted by unverified users.
Example:
src/LiquidityManagerVault.sol
971/// @notice Override _update function to add Coinbase verification for transfers972/// @param from Address sending tokens973/// @param to Address receiving tokens974/// @param value Amount of tokens being transferred975function _update(address from, address to, uint256 value) internal virtual override {976 // Only check Coinbase verification for transfers to non-zero addresses (not burns)977 if (to != address(0)) {978 _onlyCoinbaseVerified(to);979 }980 if (from != address(0)) {981 _onlyCoinbaseVerified(from);982 }983
984 // Call the parent _update function985 super._update(from, to, value);986}Recommendation:
We advise the code to validate that the msg.sender is Coinbase verified, preventing the circumvention outlined.
Alleviation:
The code was updated to validate the caller in addition to the from and to addresses, alleviating this exhibit.
