Meteora - Dynamic Bonding Curve audit details

Award pool details

• Total Prize Pool: $104,500 in USDC
  • HM awards: up to $96,000 in USDC
    • If no valid Highs are found, the HM pool is $19,200 in USDC
    • If no valid Highs or Mediums are found, the HM pool is $0
  • QA awards: $4,000 in USDC
  • Judge awards: $4,000 in USDC
  • Scout awards: $500 in USDC
• Read our guidelines for more details
• Starts August 22, 2025 20:00 UTC
• Ends September 12, 2025 20:00 UTC

❗ Important notes for wardens

1. A coded, runnable PoC is required for all High/Medium submissions to this audit.
   • This repo includes a basic template to run the test suite.
   • PoCs must use the test suite provided in this repo.
   • Your submission will be marked as Insufficient if the POC is not runnable and working with the provided test suite.
   • Exception: PoC is optional (though recommended) for wardens with signal ≥ 0.68.
2. This audit includes deployed code, and the "live criticals" exception therefore applies.
3. Judging phase risk adjustments (upgrades/downgrades):
   • High- or Medium-risk submissions downgraded by the judge to Low-risk (QA) will be ineligible for awards.
   • Upgrading a Low-risk finding from a QA report to a Medium- or High-risk finding is not supported.
   • As such, wardens are encouraged to select the appropriate risk level carefully during the submission phase.

Publicly Known Issues

Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.

Links

• Previous audits: : https://docs.meteora.ag/resources/audits/dbc
• Documentation:
  • Overview of Meteora's Tech Stack
  • Developer Documentation
• Website: meteora.ag
• X/Twitter: @MeteoraAG

---

Scope

Files in Scope: (81 files)

• base_fee/fee_rate_limiter.rs
• base_fee/fee_scheduler.rs
• base_fee/mod.rs
• const_pda.rs
• constants.rs
• curve.rs
• error.rs
• event.rs
• admin/auth.rs
• admin/ix_claim_protocol_fee.rs
• admin/ix_close_claim_protocol_fee_operator.rs
• admin/ix_create_claim_protocol_fee_operator.rs
• admin/ix_withdraw_protocol_surplus.rs
• admin/mod.rs
• creator/ix_claim_creator_trading_fee.rs
• creator/ix_create_virtual_pool_metadata.rs
• creator/ix_transfer_pool_creator.rs
• creator/ix_withdraw_creator_surplus.rs
• creator/mod.rs
• initialize_pool/ix_initialize_virtual_pool_with_spl_token.rs
• initialize_pool/ix_initialize_virtual_pool_with_token2022.rs
• initialize_pool/mod.rs
• initialize_pool/process_create_token_metadata.rs
• migration/create_locker.rs
• migration/dynamic_amm_v2/damm_v2_metadata_state.rs
• migration/dynamic_amm_v2/damm_v2_utils.rs
• migration/dynamic_amm_v2/migrate_damm_v2_initialize_pool.rs
• migration/dynamic_amm_v2/migration_damm_v2_create_metadata.rs
• migration/dynamic_amm_v2/mod.rs
• migration/ix_withdraw_migration_fee.rs
• migration/meteora_damm/meteora_damm_claim_lp_token.rs
• migration/meteora_damm/meteora_damm_lock_lp_token.rs
• migration/meteora_damm/meteora_damm_metadata_state.rs
• migration/meteora_damm/migrate_meteora_damm_initialize_pool.rs
• migration/meteora_damm/migration_meteora_damm_create_metadata.rs
• migration/meteora_damm/mod.rs
• migration/mod.rs
• migration/withdraw_leftover.rs
• instructions/mod.rs
• partner/ix_claim_partner_trading_fee.rs
• partner/ix_create_config.rs
• partner/ix_create_partner_metadata.rs
• partner/ix_withdraw_partner_surplus.rs
• partner/mod.rs
• swap/ix_swap.rs
• swap/mod.rs
• swap/swap_exact_in.rs
• swap/swap_exact_out.rs
• swap/swap_partial_fill.rs
• lib.rs
• macros.rs
• math/fee_math.rs
• math/mod.rs
• math/safe_math.rs
• math/u128x128_math.rs
• math/utils_math.rs
• params/fee_parameters.rs
• params/liquidity_distribution.rs
• params/mod.rs
• params/swap.rs
• state/claim_fee_operator.rs
• state/config.rs
• state/fee.rs
• state/mod.rs
• state/partner_metadata.rs
• state/virtual_pool.rs
• state/virtual_pool_metadata.rs
• utils/activation_handler.rs
• utils/mod.rs
• utils/token.rs

Files out of Scope: (13 files)

• dynamic-bonding-curve-sdk/src/lib.rs
• dynamic-bonding-curve-sdk/src/quote_exact_in.rs
• dynamic-bonding-curve-sdk/src/quote_exact_out.rs
• dynamic-bonding-curve-sdk/src/quote_partial_fill.rs
• tests/mod.rs
• tests/test_quote_exact_out.rs
• tests/test_quote_partial_fill.rs
• dynamic-bonding-curve-sdk/src/tests/mod.rs
• dynamic-bonding-curve-sdk/src/tests/test_quote_exact_out.rs
• dynamic-bonding-curve-sdk/src/tests/test_quote_partial_fill.rs
• libs/damm-v2/src/lib.rs
• libs/dynamic-amm/src/lib.rs
• libs/locker/src/lib.rs

Additional context

Areas of concern (where to focus for bugs)

Main areas to focus on:

• Funds are safe (reserve fund, fees of partner/creator/protocol, surplus amount, amount left)
• Identify any blockers for the migration process (i.e. after the bonding curve reaches the migration quote threshold, it should be migrated)

Main invariants

Main contract:

• https://github.com/MeteoraAg/dynamic-bonding-curve/tree/30dd2a1fc5c90949e2038f61c19dc03fee513d98

Third-party contracts:

• Damm v2: https://github.com/MeteoraAg/damm-v2
• Locker: https://github.com/jup-ag/jup-lock
• Damm v1/Dynamic vault: Closed source (https://docs.meteora.ag/overview/products/damm-v1/what-is-damm-v1)

Running tests

pnpm install pnpm test

Sample PoC

Utilize the existing test suite here as your base for POC's:

• https://github.com/MeteoraAg/dynamic-bonding-curve/tree/30dd2a1fc5c90949e2038f61c19dc03fee513d98/tests
• https://github.com/MeteoraAg/dynamic-bonding-curve/tree/30dd2a1fc5c90949e2038f61c19dc03fee513d98/programs/dynamic-bonding-curve/src/tests

Miscellaneous

Employees of Meteora and employees' family members are ineligible to participate in this audit.

Code4rena's rules cannot be overridden by the contents of this README. In case of doubt, please check with C4 staff.