Platform: Code4rena
Start Date: 12/12/2022
Pot Size: $36,500 USDC
Total HM: 8
Participants: 103
Period: 7 days
Judge: berndartmueller
Id: 193
League: ETH
Rank: 92/103
Findings: 1
Award: $6.99
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: minhquanym
Also found by: 0x52, 0xDecorativePineapple, Apocalypto, BAHOZ, ElKu, Franfran, HE1M, Jeiwan, KingNFT, Koolex, SamGMK, Tointer, Tricko, UNCHAIN, __141345__, ak1, aviggiano, bytehat, carrotsmuggler, cccz, chaduke, cozzetti, dipp, eyexploit, fs0c, haku, hansfriese, hihen, immeas, izhelyazkov, koxuan, ladboy233, lumoswiz, rajatbeladiya, rjs, rvierdiiev, seyni, supernova, unforgiven, yixxas
6.9881 USDC - $6.99
First LP can steal funds from later LPs due to truncation
LP value manipulation allows the first LP to dramatically inflate the value of the LP compared to the underlying token. When later LPs add funds, they will lose value due to the truncation that occurs during the calculations. This is a well known phenomenon which is why in UniswapV2 a small amount of LP is permanently locked on first deposit.
In this protocol they opt to not mint the minimum liquidity, presumably so that all liquidity can be removed at some point and potentially all NFTs can be redeemed. Realistically this is optimistic and in practice any vault that is closed will have to be auction off in the end anyways.
Manual Review
Use the Uniswap V2 mitigation and permanently lock a minimum amount of liquidity when the first LP deposits.
#0 - c4-judge
2022-12-28T15:39:49Z
berndartmueller marked the issue as duplicate of #442
#1 - c4-judge
2023-01-10T09:18:39Z
berndartmueller changed the severity to 3 (High Risk)
#2 - c4-judge
2023-01-10T09:18:44Z
berndartmueller marked the issue as satisfactory