Bunni v2

Findings · 19

1. 1 BunniToken permit cannot be revoked Informational
2. 2 Token approvals to ERC-4626 vaults are never revoked Informational
3. 3 Overly strict bid withdrawal validation reduces am-AMM efficiency by enabling griefing Low
4. 4 Users can bid arbitrarily low rent during the bidding process Undetermined
5. 5 Dirty bits of narrow types are not cleaned Informational
6. 6 Rebalance mechanism access control can be bypassed High
7. 7 Pools can be drained via the rebalance mechanism by selectively executing the rebalanceOrderPreHook and the rebalanceOrderPostHook High
8. 8 Missing maximum bounds for rebalance parameters Informational
9. 9 Excess liquidity can be inflated to create arbitrarily large rebalance orders High
10. 10 Insufficient event generation Informational
11. 11 AmAmm manager can manipulate TWAP prices without risk Medium
12. 12 Lack of zero-value checks Informational
13. 13 Lack of systematic approach to rounding and arithmetic errors Undetermined
14. 14 Native assets deposited to pools with no native currencies are lost Informational
15. 15 Users can gain free tokens through the BunniSwap swap functionality High
16. 16 Users can gain tokens during round-trip swaps High
17. 17 Different amount of input/output tokens can be returned in ExactIn and ExactOut configurations during the swap Low
18. 18 BunniSwap swap functionality can cause panics during the swap Undetermined
19. 19 cumulativeAmount0 can be greater than the cumulative amount computed through inverse functionality for certain LDFs Undetermined

Findings extracted from the published report PDF. See the full report below for details and remediation.