The smart contract auditor found that operator verification could have let operators into the system without a verified ID or even being a company.