Omniscia Steer Protocol Audit
VaultRegistry Manual Review Findings
VaultRegistry Manual Review Findings
VRY-01M: Misconception of Vault Creator
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | VaultRegistry.sol:L163-L169, L242, L248 |
Description:
The VaultRegistry::getStrategyCreatorForVault function's documentation specifies that the function will retrieve the creator of a given vault which is incorrect, as the function will yield the creator of the strategy of a given vault. Vault creations are permissionless, and the creator of a vault is not properly tracked by the system.
Impact:
The severity of this exhibit cannot be quantified as either the code or the specification is incorrect, and will be revisited after the delivery of the preliminary report.
Example:
242/// @dev Retrieves the creator of a given vault243/// @param _vault The address of the vault244/// @return The address of the creator245function getStrategyCreatorForVault(246 address _vault247) public view returns (address) {248 return strategyRegistry.ownerOf(vaults[_vault].tokenId);249}Recommendation:
We advise the code to be revised, either updating the documentation to reflect that the creator of a vault is unknown or adjusting the code to instead ensure the caller of the VaultRegistry::createVault function is the owner of the _tokenId specified.
To note, the latter would not fully alleviate this issue and would necessitate further adjustments in the StrategyRegistry to prevent transfers of the NFT as long as vaults are associated with it.
Other approaches can also be devised such as manually tracking the owner, however, the present documentation does not match its implementation.
Alleviation (6513a21a002d422e298719b22f73a4559dfd4663):
The documentation of the function was updated to reflect that it yields the creator of the strategy of the vault, addressing this exhibit as the function's purpose is no longer ambiguous.