Omniscia Steer Protocol Audit
Manual Review
Manual Review
A thorough line-by-line review was conducted on the codebase to identify potential malfunctions and vulnerabilities in Steer Protocol's updates and new integration.
As the project at hand implements a proxy-based upgrade as well as new protocol integration, intricate care was put into ensuring that the flow of funds & assets within the system conforms to the specifications and restrictions laid forth within the protocol's specification and that the upgraded implementations are backwards-compatible.
We validated that all state transitions of the system occur within sane criteria and that all rudimentary formulas within the system execute as expected. We pinpointed multiple significant vulnerabilities within the system which could have had severe ramifications to its overall operation; we advise the Steer Protocol team to promptly evaluate and remediate the findings identified within the audit report.
Additionally, the system was investigated for any other commonly present attack vectors such as re-entrancy attacks, mathematical truncations, logical flaws and ERC / EIP standard inconsistencies. The documentation of the project was satisfactory to the extent it need be.
A total of 34 findings were identified over the course of the manual review of which 20 findings concerned the behaviour and security of the system. The non-security related findings, such as optimizations, are included in the separate Code Style chapter.
The finding table below enumerates all these security / behavioural findings:
| ID | Severity | Addressed | Title |
|---|---|---|---|
| ABL-01M |  |  | Inexistent Configuration of Fee Manager (Migration) |
| AMP-01M |  | | Adjustment of Function Interface |
| AMP-02M | | | Adjustment of Storage Structure |
| BLM-01M | | | Inexistent Configuration of Fee Manager (Migration) |
| DSG-01M |  | | Inexistent Prevention of Equivalent Reward & Staking |
| DSG-02M | | | Non-Standard Re-Entrancy Protection |
| DSG-03M | |  | Inexistent Prevention of Re-Invocation |
| FMR-01M | | | Discrepant Sanitization of Total Vault Fees |
| FMR-02M | | | Inexistent Prevention of Duplicate Fee Identifiers |
| FMR-03M |  | | Out-of-Bound Index Access Failures |
| MPL-01M | | | Adjustment of Function Interface |
| MPL-02M | | | Adjustment of Storage Structure |
| PSB-01M | | | Incorrect Usage of Checked Arithmetic (TWAP Formula) |
| PSB-02M | | | Inexecutable Emergency Operation |
| PSB-03M | | | Inexistent Acceptance of Poolshark Positions |
| PSM-01M | | | Potential Denial-of-Service of Liquidity Manager (Poolshark Integration) |
| SSG-01M | | | Inexistent Prevention of Equivalent Reward & Staking |
| SSG-02M | | | Non-Standard Re-Entrancy Protection |
| SSG-03M | | | Inexistent Prevention of Re-Invocation |
| VRY-01M | | | Misconception of Vault Creator |