Liquidity Pool Security Checklist
Deep-dive security checks for DeFi liquidity pools. 35 security checks derived from 3,663 real audit findings. Covering pool creation, deposit/withdrawal, LP token accounting, impermanent loss, concentrated liquidity, rewards, and pool state management.
Threat Analysis
Key statistics from analyzing 3,663 audit findings:
• 3,663 findings analyzed from real smart contract audits across major DeFi protocols
• 35 vulnerability patterns identified and categorized across 7 security domains
• 26 Critical/High items require immediate attention in any audit
CATEGORIES
Pool Initialization Logic Flaws
HighImproper pool initialization can lead to manipulation, unusability, or utilization rate overflow
Pool Initialization Front-Running
HighMalicious actors can manipulate pool parameters during initialization through front-running attacks
Factory Owner Can Steal Router-Approved Funds
HighFactory owner can drain user funds approved to the router contract via malicious pool creation
Round-Trip Swap Token Gain
HighUsers can gain tokens during round-trip swaps due to math library bugs in pool invariant
Pool Creation with Invalid Parameters
MediumPools can be created with incorrect or malicious initial values leading to exploitation
Improper State Handling in Partial Redemptions
HighPartial redemption requests can be exploited to steal assets due to improper state management
Incorrect Liquidity Accounting After Withdrawals
HighForce withdrawal or emergency exit functions fail to update total liquidity correctly
Access Control Bypass in Token Operations
HighMalicious actors exploit improper access controls to manipulate deposit/withdrawal token operations
Withdrawal Denial of Service
HighMalicious users can permanently block withdrawals by exploiting deposit/withdrawal logic
Liquidity Removal Blocked During Pool Disable
HighUsers cannot withdraw liquidity when pools are disabled, trapping funds during emergencies
LP Token Share Inflation Attack
HighFirst depositor can manipulate share-to-asset ratio through donation attacks
LP Token Supply Inconsistency
HighTotal supply changes without proper LP token accounting updates cause pricing drift
LP Token Pricing Manipulation via Flash Loans
HighLP token pricing vulnerable to flashloan or slot0 manipulation attacks
Incorrect Fee Application in LP Logic
MediumFee logic applies fees to wrong assets or at wrong stages, causing incorrect LP pricing
Token Balance Manipulation During Rebalancing
HighAttacker can drain funds by manipulating token balances during rebalancing operations
Incorrect LP Token Accounting Formulas
HighFlawed mathematical formulas or invariants in LP token calculations cause fund loss
Liquidity Cooldown Manipulation
HighMalicious users can keep others in liquidity cooldown indefinitely via small deposits
Implied Volatility Manipulation in Liquidity Parameters
HighIV can be decreased without cost due to rounding errors in liquidity calculations
Incorrect Token Reserve Updates on Burn
HighBurning liquidity positions fails to properly decrement token reserves
Incorrect Liquidity Delta Handling in Swaps
MediumLiquidity adjustments not properly reflected in swap simulation vs actual execution
Unchecked Array Growth in Tick Tracking
MediumUnbounded array growth in tick tracking can brick liquidity operations
Incorrect Reward Calculation Logic
HighFlawed arithmetic or stale balance data in reward distribution leads to over/under-payment
Reward Distribution Timing Vulnerabilities
HighImproper handling of reward timing causes inflation, trapping, or front-running of rewards
Reward Theft via Recovery Functions
HighToken managers can exploit recoverERC20 or similar functions to steal reward tokens
Unrestricted Critical Parameter Modification
HighContract owner can change critical parameters like exchange rates and fees without restrictions
Uncontrolled Ownership Transfer
HighOwnership can be transferred to an arbitrary address without confirmation or safeguards
Price Manipulation via Direct Token Transfers
HighDirect token transfers can manipulate pool prices without triggering swap logic
Incorrect Share Accounting in Pool Operations
HighFlawed share accounting during swaps, rolls, or fee collection leads to incorrect balances
Incorrect Liquidation Price Calculations
HighFlawed liquidation price computation leads to improper liquidations or undercollateralized positions
Incorrect Token Amount Scaling
HighSwap functions return unscaled token amounts, causing users to receive fewer tokens than expected
Unvalidated Curve Cuts Enable Arbitrage
HighMissing validation for curve parameters enables creation of invalid liquidity curves
IL Protection Mechanism Exploitation
HighImpermanent loss protection can be exploited to drain reserve funds
Unrestricted AMM Parameter Updates
MediumAbrupt changes to critical AMM parameters like amplification factor without safeguards
Missing LP Validation in Fee Distribution
HighFee distribution logic fails to verify LP existence before allocation
Flash Loan Manipulation of LP Interest Rates
HighFlash loans can manipulate stable interest rates and pool rates, amplifying LP losses
Need a Professional Liquidity Pool Audit?
DeFi protocols handle billions in TVL. Get your protocol audited by a team that understands AMM architectures and DeFi-specific attack vectors.
