Liquidity Management

Summary

The contract hardcodes a multiplier of 1e8 when calculating shares for the first depositor:

This means the first deposit always receives 1e8 shares, regardless of the deposit size. As a result, future depositors may recive significantly fewer shares, leading to an unfair distribution of ownership.

Vulnerability Details

Scenario 1:

• User A deposit 10 tokens.

• Since totalShares == 0, the contract assigns exactly 1e8 shares to User A
  So, User A gets 1e9 shares
  totalShares = 1e9
  User A owns 100% of shares despite only depositing 10 tokens

• Scenario 2:

• User B deposits 10 more tokens.

• Since totalShares != 0, shares are now calulated as:

• Total assets before deposit (totalAmountBefore) = 10

• Total shares before deposit = 1e9

_shares = 10 * 1e9 / 10;
_shares = 1e8

Overall
User A received 1e9 i.e 90.9% of ownership
User B received 1e8 i.e 9.1% of ownership

ISSUE:
User B deposit the same amount as User A but receives 10x fewer shares, making participation unfair.

Impact

• Unfair Share Distribution

• Low incentive for future deposits

• Incorrect Asset Valuation

Tools Used

Manual Review

Recommendations

Instead of hardcoding 1e8, base _shares on the actual value of the first deposit:

where:

• PRECISION = 1e30 (or another scaling factor).

• initialTokenPrice is fetched from an oracle or preset value.
  Alternatively, set totalShares = amount so the first deposit gets shares proportional to its value: