Omniscia Steer Protocol Audit

FeeManager Static Analysis Findings

FMR-01S: Inexistent Event Emission

Type	Severity	Location
Language Specific		FeeManager.sol:L53-L56

Description:

The linked function adjusts a sensitive contract variable yet does not emit an event for it.

Example:

contracts/FeeManager.sol

53function setVaultRegistry(address _vaultRegistry) external onlyOwner {
54    require(_vaultRegistry != address(0), "address(0)");
55    vaultRegistry = _vaultRegistry;
56}

Recommendation:

We advise an event to be declared and correspondingly emitted to ensure off-chain processes can properly react to this system adjustment.

Alleviation (6513a21a002d422e298719b22f73a4559dfd4663):

The referenced assignment is no longer performed via a dedicated function rendering this exhibit inapplicable.

FMR-02S: Inexistent Initialization Protection of Base Implementation

Type	Severity	Location
Language Specific		FeeManager.sol:L10

Description:

The contract is meant to be upgradeable yet does not properly protect its logic deployment from malicious initializations.

Example:

contracts/FeeManager.sol

10contract FeeManager is Initializable, OwnableUpgradeable, UUPSUpgradeable {
11    struct Fee {
12        string feeIdentifier;
13        uint256 feeValue;
14    }
15
16    mapping(address => Fee[]) public vaultFees;
17    mapping(address => uint256) public vaultTotalFees;
18    mapping(address => mapping(string => address))
19        public withdrawalPermissions;
20    address public vaultRegistry;
21
22    event FeeWithdrawn(
23        address indexed caller,
24        address indexed vault,
25        string feeIdentifier,
26        address indexed to,
27        uint256 amount0,
28        uint256 amount1
29    );
30    event FeesWithdrawn(
31        address indexed caller,
32        address[] vault,
33        string[] feeIdentifier,
34        address[] to,
35        uint256[] amount0,
36        uint256[] amount1
37    );
38    event FeeUpdated(
39        address indexed vault,
40        string[] feeIdentifier,
41        uint256[] feeValue,
42        address[] withdrawer
43    );
44
45    // Initializer function (replacing the constructor)
46    function initialize() public initializer {
47        __Ownable_init();
48    }

Recommendation:

We advise a constructor to be introduced that either invokes the initializer modifier of the Initializable contract or invokes the Initializable::_disableInitializers function to prevent the base implementation from ever being initialized.

Alleviation (6513a21a002d422e298719b22f73a4559dfd4663):

The Steer Protocol team evaluated this exhibit and clarified that they do not utilize an OpenZeppelin version that exposes the Initializable::_disableInitializers function.

As such, the presently adopted pattern by the Steer Protocol team is correct rendering this exhibit nullified.

Omniscia Steer Protocol Audit

FeeManager Static Analysis Findings

FeeManager Static Analysis Findings

FMR-01S: Inexistent Event Emission

Description:

Example:

Recommendation:

Alleviation (6513a21a002d422e298719b22f73a4559dfd4663):

FMR-02S: Inexistent Initialization Protection of Base Implementation

Description:

Example:

Recommendation:

Alleviation (6513a21a002d422e298719b22f73a4559dfd4663):

DualStaking.sol (DSG-S)

PoolSharkBaseLiquidityManager.sol (PSB-S)

On this page