Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Tortuga Liquid Staking>Discussion>Resource inconsistency
GeneralOverview
Findings
Medium (2)
Low (2)
Informational (1)
DiscussionEvolving natureGriefingSimple map griefingIntegration and composabilityResource inconsistency
VerificationFormal verification
Audit ResultsAudit Results

Resource inconsistency

Within the code are resources that can be acquired by normal users that should be ideally only be reserved for admin acquisition only. This does not pose as an immediate security risk, however the getter methods for these resources would not work.

For instance, one could acquire the StakingStatus resource that exists on the publically available function initialize_tortuga_liquid_staking.

However this following function, which utilizes a getter for this resource

public fun get_total_worth(): u64 acquires StakingStatus {
    let staking_status = borrow_global<StakingStatus>(@tortuga);
    let unclaimed_balance =
        staking_status.total_claims_balance -
            staking_status.total_claims_balance_cleared;
    validator_router::get_total_balance() - (unclaimed_balance as u64)
}

acquires the resource strictly from the address of @tortuga, rendering the ability for a user to have their own StakingStatus resource impractical.

We suggest the initialization functions to be accessible only for the address of @tortuga.

Zellic © 2023Back to top ↑