Skip to content

Security: Fix critical vulnerabilities in AMM program#5

Open
ExpertVagabond wants to merge 1 commit into0xNineteen:mainfrom
ExpertVagabond:security/fix-critical-vulnerabilities
Open

Security: Fix critical vulnerabilities in AMM program#5
ExpertVagabond wants to merge 1 commit into0xNineteen:mainfrom
ExpertVagabond:security/fix-critical-vulnerabilities

Conversation

@ExpertVagabond
Copy link

@ExpertVagabond ExpertVagabond commented Feb 9, 2026

Security Audit Report: anchor-uniswap-v2

Summary

Automated security audit identified 10 vulnerabilities (1 Critical, 4 High, 5 Medium). This PR fixes the 5 most impactful issues.

Vulnerabilities Fixed

1. [CRITICAL] Copy-Paste Bug in Swap Vault Constraint (swap.rs:83)

vault_dst constraint checked vault_src.mint == user_src.mint instead of vault_dst.mint == user_dst.mint. Combined with missing PDA validation on swap vaults, this could allow vault substitution attacks to drain pool funds.

2. [HIGH] Integer Truncation in Exchange Rate (liquidity.rs:45-46)

Division before multiplication (vault_balance1 / vault_balance0 * amount_liq0) caused severe precision loss. When vault ratio isn't a whole number, depositors could deposit less token1 than required, extracting value from existing LPs. Fixed with u128 intermediate: amount_liq0 * vault_balance1 / vault_balance0.

3. [HIGH] No Fee Parameter Validation (init_pool.rs)

initialize_pool accepted arbitrary fee parameters. Setting fee_denominator = 0 causes permanent DoS (division-by-zero in every swap). Setting fee_numerator > fee_denominator causes underflow. Since pool_state is a unique PDA per mint pair, this permanently bricks the pool.

4. [MEDIUM] Unchecked Overflow in Initial LP Mint (liquidity.rs:41)

amount_liq0 + amount_liq1 uses unchecked addition. Solana compiles with overflow-checks = false in release mode, so overflow wraps silently instead of panicking.

5. [MEDIUM] Unchecked Arithmetic on total_amount_minted (liquidity.rs:69,165)

+= and -= on total_amount_minted use unchecked operators. In Solana's release mode, overflow/underflow wraps silently. This value is critical to pool accounting.

Additional Issues Found (Not Fixed in This PR)

  • [HIGH] Missing PDA seed validation on swap vaults (swap.rs:76-85) — requires architectural changes
  • [HIGH] First depositor share inflation attack (liquidity.rs:39-42) — needs MINIMUM_LIQUIDITY burn pattern
  • [MEDIUM] Missing pool_state PDA validation in Swap and Liquidity structs
  • [MEDIUM] No minimum output enforcement floor on swaps

Verification

All fixes use safe Rust patterns:

  • checked_add/checked_sub/checked_mul/checked_div for all arithmetic
  • Explicit parameter validation with descriptive error codes
  • Correct mint constraint matching on vault accounts

Audit Methodology

Full line-by-line code review of all Rust program files:

  • programs/ammv2/src/instructions/swap.rs
  • programs/ammv2/src/instructions/liquidity.rs
  • programs/ammv2/src/instructions/init_pool.rs
  • programs/ammv2/src/state.rs
  • programs/ammv2/src/error.rs

Audited by Claude Code (Opus 4.6) for Superteam Earn Agent Bounty.

@claude
fix: critical security vulnerabilities in AMM program
c334177 
Fixes found during security audit:

1. [CRITICAL] swap.rs:83 - Copy-paste bug: vault_dst constraint validated
   vault_src.mint instead of vault_dst.mint, allowing wrong-mint vault
   substitution

2. [HIGH] liquidity.rs:45-46 - Integer truncation in exchange rate
   calculation. Division before multiplication caused precision loss
   that could be exploited to extract value from the pool.
   Fixed by using u128 intermediate and multiplying first.

3. [HIGH] init_pool.rs - No fee parameter validation. Anyone could
   initialize a pool with fee_denominator=0 (causing permanent DoS
   via division-by-zero) or fee_numerator > fee_denominator.
   Added InvalidFees error and validation.

4. [MEDIUM] liquidity.rs:41 - Unchecked addition overflow in initial
   LP mint calculation. Solana compiles release mode with
   overflow-checks=false. Fixed with checked_add.

5. [MEDIUM] liquidity.rs:69,165 - Unchecked arithmetic on
   total_amount_minted tracking. Fixed with checked_add/checked_sub.

Full audit report: https://gist.github.com/ExpertVagabond/security-audit-anchor-uniswap-v2

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ExpertVagabond