Reserve Manipulation
Detects AMM and DEX contracts vulnerable to reserve manipulation via direct balance inflation, enabling attackers to skew prices or drain liquidity.
Reserve Manipulation
Overview
The reserve manipulation detector identifies AMM/DEX contracts that use balanceOf(address(this)) directly in price or liquidity calculations without comparing against tracked reserves. An attacker can inflate the contract’s token balance by transferring tokens directly (not through the pool’s deposit function), then exploit the inflated balance in swap calculations.
Sigvex identifies functions that read balanceOf(address(this)) and use the result in arithmetic without comparing it against an internally tracked reserve variable.
Why This Is an Issue
Uniswap V2-style AMMs maintain internal reserve0/reserve1 variables and only sync them via the sync() function. Clones or forks that use raw balanceOf instead of tracked reserves allow attackers to manipulate prices by donating tokens directly to the contract. This has been exploited in numerous DEX attacks totaling over $100M.
How to Resolve
// Before: Vulnerable — uses raw balance for price calculation
function getPrice() public view returns (uint256) {
uint256 balance0 = token0.balanceOf(address(this));
uint256 balance1 = token1.balanceOf(address(this));
return (balance1 * 1e18) / balance0; // Manipulable via direct transfer
}
// After: Fixed — use internally tracked reserves
function getPrice() public view returns (uint256) {
(uint112 _reserve0, uint112 _reserve1, ) = getReserves();
return (uint256(_reserve1) * 1e18) / uint256(_reserve0);
}Detection Methodology
- Balance-of-self detection: Identifies
STATICCALLtobalanceOfwithaddress(this)as the argument. - Arithmetic context check: Determines if the result flows into price calculation, swap, or liquidity operations.
- Reserve variable comparison: Checks whether the function also loads from a separate reserve storage variable and compares or uses it alongside the raw balance.
- Higher confidence when raw
balanceOfis the sole data source for pricing arithmetic.
Limitations
False positives: Contracts that intentionally use balance-based accounting (e.g., Uniswap V2’s sync() function) may be flagged. False negatives: Custom balance-tracking implementations with non-standard patterns may not be recognized.
Related Detectors
- Oracle Manipulation — detects price oracle manipulation
- Flash Loan — detects flash loan attack vectors