HotCurves

Introduction

HotCurves.fun is a decentralized launchpad built atop Uniswap V4, enabling fully-on-chain, omnichain token launches and swaps. Powered by its native $HOTKEY governance/liquidity token, the platform automates liquidity permanence, price stability, and manipulation-resistance across Ethereum, BSC, Base, and Arbitrum networks.

Why Did They Need an Audit?

HotCurves planned to open public access to its bonding-curve launchpad and was preparing to migrate liquidity automatically into a Uniswap V3 pool at launch completion. Due to the complexity of on-chain price discovery, automated pool creation, fee routing, and omnichain token support, the team requested an independent assessment to uncover logic errors or economic attack vectors that could jeopardize user funds or the integrity of the launch process.

What Was Audited?

The review covered 11 Solidity files (≈1 147 nSLOC)

Key Objectives

• Validate bonding-curve math and fee distribution.
• Assess automatic Uniswap V3 pool creation & initialization.
• Verify slippage protection and price-oracle usage.
• Review referrer accounting, reward mechanisms, and upgrade controls.

Results and Findings

Key Critical Issues

1. Frontrunnable Pool Initialization Enables Price Manipulation (HotCurves-C01)
   • Description: An attacker could pre-create and skew the (HOTKEY, Token) Uniswap V3 pool just before finalize(). The contract then injected all liquidity at the attacker’s price, letting the adversary drain value.
   • Resolution: Factory now pre-creates and seeds the pool at the deterministic final price cap; excess purchase value is refunded.
2. Missing Slippage Check in ETH→HOTKEY Swap (HotCurves-C02)
   • Description: amountOutMinimum = 0 allowed sandwich attacks during the ETH-to-HOTKEY swap executed in finalize().
   • Resolution: Swap now enforces a TWAP-based minimum-output guard.

Notable High-Severity Issues

• Incorrect Fee & Accounting in sellToken (HotCurves-H01) – Repeated curve conversion produced inflated ETH payouts and inconsistent LP metrics.
• No Slippage Limits in buyToken / sellToken (HotCurves-H02) – Enabled profit-free sandwiching around user trades.

Low-Severity / Best-Practice Observations

• Hard-coded Pool Parameters (HotCurves-L01) – Fee tier & tick-spacing now owner-configurable for optimal liquidity.
• Inconsistent Referrer Fee Units (HotCurves-L02) – Separate trackers added for ETH- and token-denominated fees.

Informational Improvements

Pagination for large array reads, removal of redundant receive() functions, strict CEI adoption, inclusive market-cap finalize check, and proper totalSupply burn semantics (N01–N05) were all implemented.

In conclusion

Three Sigma’s review of HotCurves focused on safeguarding its bonding-curve launchpad, automated liquidity migration, and fee architecture. By eliminating critical frontrunning and slippage flaws and tightening accounting and configuration practices, HotCurves significantly increased user and liquidity provider protection ahead of main-net rollout. The audit positions HotCurves.fun to deliver a fair, manipulation-resistant launchpad experience across multiple chains, fostering confidence among token teams and traders alike.