Skip to content

fix: resolve audit findings M-8, M-13, M-18#51

Merged
hackercf merged 1 commit intomasterfrom
fix/audit-m8-m13-m18
Mar 24, 2026
Merged

fix: resolve audit findings M-8, M-13, M-18#51
hackercf merged 1 commit intomasterfrom
fix/audit-m8-m13-m18

Conversation

@hackercf
Copy link
Contributor

@hackercf hackercf commented Mar 16, 2026

Summary

Continues V1.5 audit remediation (follows PRs #47#50). Fixes 3 MEDIUM findings from the 2026-03-10 Claude Code Security Audit V2.

  • M-18: Tighten governance action validation ranges — initiate-proposal-to-set-market-feature narrowed from u2–u23 to u2–u8 + u23, initiate-proposal-to-set-market-state narrowed from u9–u22 to u9–u10. Prevents creating proposals with mismatched action types that unwrap-panic on execution.
  • M-8: Enforce minimum initial deposit (u1000 / 0.001 USDC) when LP pool is empty. Mitigates first-depositor share inflation attack (previously only blocked deposits of exactly 1).
  • M-13: Add flash loan reentrancy guard via boolean flag covering the entire operation (checks-effects-interactions pattern). Defense-in-depth — Clarity VM also prevents circular references at runtime.

No state-v1 modifications. All 207 tests pass.

Test plan

  • clarinet check — 36 contracts compile
  • npm test — 207/207 tests pass
  • M-18: Boundary tests for reject (u9, u11, u22) and accept (u8, u10) action values
  • M-8: Boundary tests at 2 (reject), 999 (reject), 1000 (accept)
  • M-13: Existing flash loan tests pass with guard in place; Clarity VM circular reference protection documented
  • No state-v1 changes (verified via git diff)

@hackercf
fix: resolve audit findings M-8, M-13, M-18 (#51)
49d8b43 
M-18: Tighten governance action validation ranges
- initiate-proposal-to-set-market-feature: u2-u23 → u2-u8 + u23
- initiate-proposal-to-set-market-state: u9-u22 → u9-u10
- Prevents creating proposals with mismatched action types that panic on execution

M-8: Enforce minimum initial deposit for first LP depositor
- Require >= 1000 units (0.001 USDC) on first deposit (total-assets == 0)
- Mitigates share inflation attack vector (previously only blocked exactly 1)

M-13: Add flash loan reentrancy guard
- Boolean flag set before any external calls, cleared after all operations complete
- Follows checks-effects-interactions pattern
- Defense-in-depth (Clarity VM also prevents circular references)

All 207 tests pass. No state-v1 modifications.
@hackercf hackercf requested a review from talhasch March 17, 2026 13:28
talhasch
talhasch approved these changes Mar 18, 2026
View reviewed changes
Copy link
Contributor

@talhasch talhasch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@hackercf hackercf merged commit e638db1 into master Mar 24, 2026
4 checks passed
@hackercf hackercf deleted the fix/audit-m8-m13-m18 branch March 24, 2026 04:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@talhasch talhasch talhasch approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hackercf @talhasch