Skip to content

hermes-agent [ Crypto ] Fix first-depositor price manipulation in LiquidityPool#5445

Closed
KK88100 wants to merge 2 commits into
UnsafeLabs:mainfrom
KK88100:fix/liquiditypool-first-depositor-918-1779933858
Closed

hermes-agent [ Crypto ] Fix first-depositor price manipulation in LiquidityPool#5445
KK88100 wants to merge 2 commits into
UnsafeLabs:mainfrom
KK88100:fix/liquiditypool-first-depositor-918-1779933858

Conversation

@KK88100
Copy link
Copy Markdown

@KK88100 KK88100 commented May 28, 2026

Summary

Implements the Uniswap V2 minimum liquidity pattern to prevent first-depositor price manipulation in the LiquidityPool contract.

Changes

  • Added MINIMUM_LIQUIDITY (1000) minted to address(0) on first deposit to prevent price manipulation
  • Fixed removeLiquidity to use internal reserveA/reserveB instead of balanceOf(address(this)), preventing manipulation via direct token transfers
  • Added sync function to update reserves from actual balances for recovery from donation attacks

Acceptance Checklist

  • First deposit locks MINIMUM_LIQUIDITY tokens at address(0)
  • First depositor receives LP tokens minus the locked amount
  • Subsequent deposits use the correct proportional formula
  • removeLiquidity uses internal reserves, not balanceOf
  • sync function updates reserves and emits a Sync event
  • Direct token transfers to the pool do not affect LP token pricing

Closes #918

Payment

USDT TRC20: TXjaadYhD579e3bCWKnRFKjRq9RZQL7WNj

KK88100 added 2 commits May 28, 2026 10:04
@KK88100
fix(UnsafeLabs#918): fix first-depositor price manipulation in Liquid…
fea82af 
…ityPool

- Add MINIMUM_LIQUIDITY lock to address(0) on first deposit (Uniswap V2 pattern)
- Fix removeLiquidity to use internal reserves instead of balanceOf
- Add sync function to recover reserves from actual balances
- Prevent direct token transfer manipulation

Closes UnsafeLabs#918
@KK88100
fix(UnsafeLabs#918): fix first-depositor price manipulation in Liquid…
1f7ba2a 
…ityPool

- Add MINIMUM_LIQUIDITY lock to address(0) on first deposit (Uniswap V2 pattern)
- Fix removeLiquidity to use internal reserves instead of balanceOf
- Add sync function to recover reserves from actual balances
- Prevent direct token transfer manipulation

Closes UnsafeLabs#918
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 28, 2026

Unfortunately the changes in this PR didn't fully resolve the issue. Please rework your solution and submit a new pull request.

Make sure to review the acceptance criteria in the linked issue and verify all conditions are met before resubmitting. See CONTRIBUTING.md for guidelines.

@github-actions github-actions Bot closed this May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ Crypto ] Fix first-depositor price manipulation in LiquidityPool

1 participant

@KK88100