Assessment reports>Tortuga Liquid Staking>Medium findings>Tortuga coin initialization
Category: Coding Mistakes

Tortuga coin initialization

Medium Severity
Medium Impact
Medium Likelihood

Description

The initialize_tortuga_liquid_staking function calls coin::initialize to instantiate the Coin resource. However, within the function body of coin::initialize is an assertion statement that the creator of the resource matches the deploying package's address.

assert!(
    coin_address<CoinType>() == account_addr,
    error::invalid_argument(ECOIN_INFO_ADDRESS_MISMATCH),
);

Impact

Users would not be able to access this function and not deploy their own version of StakedAptosCoin.

Recommendations

We recommend making this function only accessible for Tortuga's address.

Remediation

Move Labs fixed this issue in commit ef89a88.

Zellic © 2024Back to top ↑