Meteora - Dynamic Bonding Curve
Building the most dynamic liquidity pools in DeFi.
- Start date22 Aug 2025
- End date12 Sep 2025
- Total awards$104,500 in USDC
- Duration21 days
- Details
Meteora - Dynamic Bonding Curve audit details
Award pool details
- Total Prize Pool: $104,500 in USDC
- HM awards: up to $96,000 in USDC
- If no valid Highs are found, the HM pool is $19,200 in USDC
- If no valid Highs or Mediums are found, the HM pool is $0
- QA awards: $4,000 in USDC
- Judge awards: $4,000 in USDC
- Scout awards: $500 in USDC
- HM awards: up to $96,000 in USDC
- Read our guidelines for more details
- Starts August 22, 2025 20:00 UTC
- Ends September 12, 2025 20:00 UTC
❗ Important notes for wardens
- A coded, runnable PoC is required for all High/Medium submissions to this audit.
- This repo includes a basic template to run the test suite.
- PoCs must use the test suite provided in this repo.
- Your submission will be marked as Insufficient if the POC is not runnable and working with the provided test suite.
- Exception: PoC is optional (though recommended) for wardens with signal ≥ 0.68.
- This audit includes deployed code, and the "live criticals" exception therefore applies.
- Judging phase risk adjustments (upgrades/downgrades):
- High- or Medium-risk submissions downgraded by the judge to Low-risk (QA) will be ineligible for awards.
- Upgrading a Low-risk finding from a QA report to a Medium- or High-risk finding is not supported.
- As such, wardens are encouraged to select the appropriate risk level carefully during the submission phase.
Publicly Known Issues
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
- Swap rate limiter bypass vulnerability via swap2 instruction: It is possible to bypass the
feeRateLimitermode, in particular the swap rate limiter (an anti-sniping feature - which prevents snipers from bundling multiple swap instructions in one transaction) by using theswap2instruction handler. The vulnerability arises from the lack of aswap2discriminator check in the functionvalidate_single_swap_instruction(). (C4 staff note: this issue was addressed by a public PR on September 5, 2025 at 4:36AM UTC; therefore all submissions of this finding after that timestamp will be considered out of scope.)
Links
- Previous audits: : https://docs.meteora.ag/resources/audits/dbc
- Documentation:
- Website: meteora.ag
- X/Twitter: @MeteoraAG
Scope
Files in Scope: (81 files)
base_fee/fee_rate_limiter.rsbase_fee/fee_scheduler.rsbase_fee/mod.rsconst_pda.rsconstants.rscurve.rserror.rsevent.rsadmin/auth.rsadmin/ix_claim_protocol_fee.rsadmin/ix_close_claim_protocol_fee_operator.rsadmin/ix_create_claim_protocol_fee_operator.rsadmin/ix_withdraw_protocol_surplus.rsadmin/mod.rscreator/ix_claim_creator_trading_fee.rscreator/ix_create_virtual_pool_metadata.rscreator/ix_transfer_pool_creator.rscreator/ix_withdraw_creator_surplus.rscreator/mod.rsinitialize_pool/ix_initialize_virtual_pool_with_spl_token.rsinitialize_pool/ix_initialize_virtual_pool_with_token2022.rsinitialize_pool/mod.rsinitialize_pool/process_create_token_metadata.rsmigration/create_locker.rsmigration/dynamic_amm_v2/damm_v2_metadata_state.rsmigration/dynamic_amm_v2/damm_v2_utils.rsmigration/dynamic_amm_v2/migrate_damm_v2_initialize_pool.rsmigration/dynamic_amm_v2/migration_damm_v2_create_metadata.rsmigration/dynamic_amm_v2/mod.rsmigration/ix_withdraw_migration_fee.rsmigration/meteora_damm/meteora_damm_claim_lp_token.rsmigration/meteora_damm/meteora_damm_lock_lp_token.rsmigration/meteora_damm/meteora_damm_metadata_state.rsmigration/meteora_damm/migrate_meteora_damm_initialize_pool.rsmigration/meteora_damm/migration_meteora_damm_create_metadata.rsmigration/meteora_damm/mod.rsmigration/mod.rsmigration/withdraw_leftover.rsinstructions/mod.rspartner/ix_claim_partner_trading_fee.rspartner/ix_create_config.rspartner/ix_create_partner_metadata.rspartner/ix_withdraw_partner_surplus.rspartner/mod.rsswap/ix_swap.rsswap/mod.rsswap/swap_exact_in.rsswap/swap_exact_out.rsswap/swap_partial_fill.rslib.rsmacros.rsmath/fee_math.rsmath/mod.rsmath/safe_math.rsmath/u128x128_math.rsmath/utils_math.rsparams/fee_parameters.rsparams/liquidity_distribution.rsparams/mod.rsparams/swap.rsstate/claim_fee_operator.rsstate/config.rsstate/fee.rsstate/mod.rsstate/partner_metadata.rsstate/virtual_pool.rsstate/virtual_pool_metadata.rsutils/activation_handler.rsutils/mod.rsutils/token.rs
Files out of Scope: (13 files)
dynamic-bonding-curve-sdk/src/lib.rsdynamic-bonding-curve-sdk/src/quote_exact_in.rsdynamic-bonding-curve-sdk/src/quote_exact_out.rsdynamic-bonding-curve-sdk/src/quote_partial_fill.rstests/mod.rstests/test_quote_exact_out.rstests/test_quote_partial_fill.rsdynamic-bonding-curve-sdk/src/tests/mod.rsdynamic-bonding-curve-sdk/src/tests/test_quote_exact_out.rsdynamic-bonding-curve-sdk/src/tests/test_quote_partial_fill.rslibs/damm-v2/src/lib.rslibs/dynamic-amm/src/lib.rslibs/locker/src/lib.rs
Additional context
Areas of concern (where to focus for bugs)
Main areas to focus on:
- Funds are safe (reserve fund, fees of partner/creator/protocol, surplus amount, amount left)
- Identify any blockers for the migration process (i.e. after the bonding curve reaches the migration quote threshold, it should be migrated)
Main invariants
Main contract:
Third-party contracts:
- Damm v2: https://github.com/MeteoraAg/damm-v2
- Locker: https://github.com/jup-ag/jup-lock
- Damm v1/Dynamic vault: Closed source (https://docs.meteora.ag/overview/products/damm-v1/what-is-damm-v1)
Running tests
pnpm install
pnpm test
Sample PoC
Utilize the existing test suite here as your base for POC's:
- https://github.com/MeteoraAg/dynamic-bonding-curve/tree/30dd2a1fc5c90949e2038f61c19dc03fee513d98/tests
- https://github.com/MeteoraAg/dynamic-bonding-curve/tree/30dd2a1fc5c90949e2038f61c19dc03fee513d98/programs/dynamic-bonding-curve/src/tests
Miscellaneous
Employees of Meteora and employees' family members are ineligible to participate in this audit.
Code4rena's rules cannot be overridden by the contents of this README. In case of doubt, please check with C4 staff.