Description

The initialize_tortuga_liquid_staking function calls coin::initialize to instantiate the Coin resource. However, within the function body of coin::initialize is an assertion statement that the creator of the resource matches the deploying package's address.

assert!(
    coin_address<CoinType>() == account_addr,
    error::invalid_argument(ECOIN_INFO_ADDRESS_MISMATCH),
);

Impact

Users would not be able to access this function and not deploy their own version of StakedAptosCoin.

Recommendations

We recommend making this function only accessible for Tortuga's address.

Remediation

Move Labs fixed this issue in commit ef89a88↗.