EVM high Detector March 9, 2026 2 min read

LP Token Inflation

Detects AMM and DEX liquidity pool contracts vulnerable to first-depositor inflation attacks where an attacker manipulates the share price to steal from subsequent depositors.

evmhighinteger-overflowstatic-analysisdetectordata-flow

LP Token Inflation

Overview

The LP token inflation detector identifies liquidity pool contracts vulnerable to the first-depositor attack. The attack works by: (1) depositing a minimal amount to receive 1 share, (2) donating a large amount of tokens directly to the pool, (3) the next depositor’s deposit is divided by the inflated total assets, resulting in 0 shares due to integer division, and (4) the first depositor redeems their 1 share for the entire pool balance.

Why This Is an Issue

This is a common vulnerability in AMM pools, ERC-4626 vaults, and staking contracts. If the share-to-asset ratio can be manipulated when total shares is very small, any subsequent depositor loses their entire deposit. The attack costs only the initial small deposit plus the donation.

How to Resolve

// Fixed: Mint dead shares on first deposit to prevent inflation
function deposit(uint256 assets) external returns (uint256 shares) {
    if (totalSupply() == 0) {
        shares = assets - MINIMUM_LIQUIDITY;
        _mint(address(0xdead), MINIMUM_LIQUIDITY);  // Lock minimum shares
    } else {
        shares = (assets * totalSupply()) / totalAssets();
    }
    require(shares > 0, "Zero shares");
    _mint(msg.sender, shares);
    asset.transferFrom(msg.sender, address(this), assets);
}

Detection Methodology

Share calculation pattern: Identifies (amount * totalSupply) / totalAssets division patterns.
First deposit handling: Checks whether the contract has special handling for totalSupply == 0.
Dead share minting: Looks for minimum liquidity locking (minting to address(0) or address(0xdead)).
Missing zero-share check: Flags when the share calculation result is not checked against zero.

Limitations

False positives: Pools that use alternative anti-inflation mechanisms (virtual shares, minimum deposit thresholds) may be flagged. False negatives: Custom share accounting that uses different variable names may not be detected.

Vault Inflation — detects ERC-4626 vault first-depositor attacks
Vault Rounding — detects rounding direction errors
Precision Errors — detects precision loss in calculations

LP Token Inflation

Overview

Why This Is an Issue

How to Resolve

Detection Methodology

Limitations

Related Detectors

References