Completed

Blackhole Mitigation Review

A new decentralised exchange designed to serve as the Trading and Liquidity Hub for all blockchain projects on Avalanche.

  • Start date18 Jun 2025
  • End date23 Jun 2025
  • Total awards$4,250 in USDC
  • Duration5 days

Blackhole Mitigation Review

  • Total Prize Pool: $4,250 in USDC
    • Warden awards: $3,000 in USDC
    • Judge awards: $1,000 in USDC
    • Scout awards: $250 in USDC
  • Warden guidelines for C4 mitigation reviews
  • Starts June 18, 2025 20:00 UTC
  • Ends June 23, 2025 20:00 UTC

Important note

Each warden must submit a mitigation review for every individual item listed in the Scope section below. Incomplete or insufficient mitigation reviews will not be eligible for awards.

Scope

Branch

https://github.com/BlackHoleDEX/SmartContracts/commits/stable-devnet

Mitigation of High & Medium Severity Issues

Mitigations of all High and Medium issues listed here will be considered in-scope:

FixMitigation of
Commit 9ee840aS-245: Router Address Validation Logic Error - Prevents Valid Router Assignment
Commit 584ff47S-176: Reward token in GaugeFactoryCL can be drained by anyone
Commit bf2277bS-184: Critical Access Control Flaw: Role Removal Logic Incorrectly Grants Unauthorized Roles
Commit c10c8f7S-17: MinterUpgradeable: double-subtracting smNFT burns causes rebase underpayment
Commit 1d7f64dS-419: Quorum does not include the againstVotes leading to emissions rate staying the same even if it should decrease
Commit e34ce14S-114: Logic Error in AVM Original Owner Resolution
Commit 9a39a8e Commit edb952S-412: Users can cast their votes multiple times for the proposal by transfering their nfts and then voting again
Commit 47cb9f6S-175: 1e10 fixed farming reward in GaugeFactoryCL
Commit 877c46aS-82: `Governance emission adjustment ignored when weekly emission above tail threshold
Commit b9533e5S-416: Status does not update inside the BlackGovernor leading to complete distrubtion of nudge functionality
Commit 9a39a8e Commit edb9523S-236: checkpoints are incorrectly cleared during transferFrom
Commit c0d68eS-74: Incorrect Function Call in BribeFactoryV3 recoverERC20AndUpdateData
Commit 2c75927S-279: isGenesis flag is ineffective to control add liquidity flow in RouterV2.addLiquidity()
Commit 7b5c04aS-122: Griefing Attack on GenesisPoolManager.sol::depositNativeToken Leading to Denial of Service
Commit 5adeeb8S-324: Function Return Variable Shadowing Prevents Storage Updates in Solidity
Commit 3f60981S-406: getVotes inside the BlackGovernor incorrectly provides block.number instead of block.timestamp leading to complete DOS of proposal functionality
Commit 0967e03 Commit edb9523S-423: getsmNFTPastVotes incorrectly checks for Voting Power leading to some nfts incorrectly being eligble to vote
Commit 0ae885cS-187: First liquidity provider can DOS the pool of a stable pair
Commit 4dcbd35S-409: Zero-receiver fund burn
Commit 754397fS-33: L2Governor.execute() accepts Expired / Defeated proposals, attacker front-runs BlackGovernor nudge(), blocks legitimate emission-rate votes, freezes tail emissions
Commit ed042dfS-410: ERC-2612 Permit Front-Running in RouterV2 Enables DoS of Liquidity Operations

Additional scope to be reviewed

These are additional changes that will be in scope.

Out of Scope