Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Rujira>Discussion>First-deposit issue
GeneralOverview
Findings
Critical (1)
Informational (1)
DiscussionFirst-deposit issue
Audit ResultsAssessment Results

First-deposit issue

Due to the truncations that exist within execute_withdraw and execute_deposit, there seems to be a possible path to exploit the first-deposit issue, . However, this would require a first user that is able to inflate a single share to a large price. This is not a security issue in Rujira due to the initial four-week starting period in which decay will not exist; as such, there will be a large amount of seed liquidity, and truncation / share inflation is not possible in that period due to a 1:1 coupling of share/deposit price.

Ruji Holdings remediated this issue in commit a6410cc2 by changing the logic to work with CosmWasm Dec values instead of fixed integer calculations.

Zellic © 2025Back to top ↑