Description

The SimpleLaunchPad contract defines a global bondingCurve variable, which can be updated by the contract owner via the updateBondingCurve function. Additionally, the bondingCurve variable is used in the launch function, and its current value is saved into the LaunchData structure for every newly launched token.

This bondingCurve address is subsequently used in the buy and sell functions to calculate the quoteAmount of tokens to be supplied or received. Additionally, it is utilized in the view functions quoteBaseForQuote and quoteQuoteForBase to compute the expected baseAmount based on a provided quoteAmount, and vice versa.

However, all of these functions reference the global bondingCurve address, rather than using the instance stored in LaunchData for the corresponding launched token, which may result in referencing an incorrect bonding curve contract if the global address has been updated, potentially leading to inaccurate token-amount calculations.

Impact

The impact depends on the bondingCurve implementation being updated to. In our case, all previously launched tokens become inaccessible, since the new bondingCurve has zero reserves for them, resulting in all calculations returning zero.

Recommendations

Update all relevant functions (buy, sell, quoteBaseForQuote, and quoteQuoteForBase) to reference the bondingCurve address stored in the LaunchData for each specific launched token, rather than using the global bondingCurve variable.

Remediation

This issue has been acknowledged by Liquid Labs, Inc., and a fix was implemented in commit 316301c5↗.

Liquid Labs, Inc. provided the following response to this finding:

Global bonding curve address is no longer referenced anywhere, except when creating a launch. Updating the global bonding curve will now only affect new launches.