Skip to content

additional validations / checks #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

additional validations / checks #14

wants to merge 1 commit into from
+967 −795

Conversation

@LevanIlashvili
Copy link

@LevanIlashvili LevanIlashvili commented Nov 18, 2025

Change Summary

What does this PR change?

This PR addresses some vulnerabilities and implements gas optimizations across the Aqua Protocol core contracts. Fixes include input validation (array length checks, zero address validation, duplicate token detection), integer overflow prevention in AMM pricing formulas, and protection against msg.value reuse in multicall operations.

Detailed Changes

Security Fixes

HIGH Risk Vulnerabilities (3 fixed)

  1. Array Length Mismatch (src/Aqua.sol:53)

    • Added validation: require(tokens.length == amounts.length)
    • Prevents out-of-bounds access and incorrect state initialization
    • Impact: Eliminated DoS vector

  2. Zero Address Validation (src/Aqua.sol:52, 63, 92, 106)

    • Added checks in ship(), pull(), push() functions
    • Prevents fund loss to address(0)
    • Impact: Protects against permanent fund loss

  3. msg.value Reuse in Multicall (src/libs/Multicall.sol:11-13)

    • Added check: prevents msg.value > 0 when multiple calls
    • Impact: Prevents accounting issues and potential exploits

MEDIUM Risk Vulnerabilities (4 fixed)

  1. Duplicate Token Detection (src/Aqua.sol:65-68)

    • Nested loop validates no duplicate tokens in ship()
    • Impact: Prevents incorrect balance accounting

  2. Insufficient Balance Checks (src/Aqua.sol:96-97)

    • Explicit validation in pull() before subtraction
    • Active strategy check added
    • Impact: Better error messages, prevents pulling from inactive strategies

  3. Integer Overflow in Pricing (examples/apps/XYCSwap.sol:128, 138)

    • Replaced (a * b) / c with Math.mulDiv(a, b, c)
    • Impact: Prevents DoS in large value pools

  4. Redundant Hash Calculation (examples/apps/XYCSwap.sol:53-85, 87-119)

    • Refactored to compute keccak256 once per swap
    • Impact: 200-300 gas savings per swap

Gas Optimizations (8 applied)

  • Cached array lengths in all loops (Aqua.sol, Multicall.sol)
  • Unchecked loop increments throughout
  • Eliminated duplicate keccak256 calculations in XYCSwap

Estimated Gas Savings:

  • ship(): ~86 gas (2 tokens)
  • dock(): ~86 gas (2 tokens)
  • swapExactIn/Out(): ~200-300 gas each
  • multicall(): ~43 gas per iteration

Files Changed

Modified Files

  1. src/Aqua.sol

    • Added 5 new custom errors
    • Updated: ship(), dock(), pull(), push()

  2. examples/apps/XYCSwap.sol

    • Updated: swapExactIn(), swapExactOut(), _quoteExactIn(), _quoteExactOut()
    • Added: _swapExactIn(), _swapExactOut() private helpers

  3. src/libs/Multicall.sol

    • Added 1 new custom error
    • Updated: multicall()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LevanIlashvili