support drain liquidity when dev rugged 60days project#140
support drain liquidity when dev rugged 60days project#140koo-virtuals wants to merge 9 commits intomainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
…d graduation with near‑zero liquidity after private‑pool drain
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Storage layout collision in upgradeable proxy contract
- Moved
bondingV2to be declared afterbondingV4, preserving existing proxy storage slots and preventing slot-collision regressions on upgrade.
- Moved
Or push these changes by commenting:
@cursor push 2e352982af
Preview (2e352982af)
diff --git a/contracts/launchpadv2/FRouterV2.sol b/contracts/launchpadv2/FRouterV2.sol
--- a/contracts/launchpadv2/FRouterV2.sol
+++ b/contracts/launchpadv2/FRouterV2.sol
@@ -39,7 +39,6 @@
address public assetToken;
address public taxManager; // deprecated
address public antiSniperTaxManager; // deprecated
- IBondingV2ForRouter public bondingV2;
event PrivatePoolDrained(
address indexed token,
@@ -57,6 +56,7 @@
// BondingV4 reference for checking X_LAUNCH tokens
IBondingV4ForRouter public bondingV4;
+ IBondingV2ForRouter public bondingV2;
/// @custom:oz-upgrades-unsafe-allow constructor
constructor() {This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.
| address public assetToken; | ||
| address public taxManager; // deprecated | ||
| address public antiSniperTaxManager; // deprecated | ||
| IBondingV2ForRouter public bondingV2; |
There was a problem hiding this comment.
Storage layout collision in upgradeable proxy contract
High Severity
The new bondingV2 state variable is inserted before the existing bondingV4 state variable in this upgradeable proxy contract, shifting bondingV4 from its original storage slot to the next one. After upgrade, bondingV2 reads the old bondingV4 value (causing isProject60days() calls to revert on a BondingV4 address), and bondingV4 reads zero (disabling all X_LAUNCH anti-sniper tax logic). The bondingV2 declaration needs to be placed after bondingV4 to preserve the storage layout.
Additional Locations (1)
2 participants
Note
High Risk
Adds privileged functions that can transfer out all liquidity from both private pools and graduated Uniswap V2 pools, which is highly security- and fund-safety-sensitive despite role gating. Also tightens swap slippage checks to revert on zero-output trades, which may affect edge-case trading flows after reserve manipulation/drains.
Overview
Adds privileged liquidity drain support for rugged
Project60daystokens.FRouterV2now stores aBondingV2reference (setBondingV2) and introducesdrainPrivatePool(empties anFPairV2of both asset + token balances) anddrainUniV2Pool(removes all LP viaAgentFactoryV6for the founder’s fullveTokenbalance), emitting new drain events.Hardens trading around drained/empty pools by making
BondingV2/BondingV3/BondingV4buy/sellrevert withSlippageTooHighwhen router returns a zero output, preventing zero-output buys from succeeding and accidentally triggering graduation logic.Updates
FPairV2to supportsyncAfterDrain(reserve/k recompute +Syncevent) and extendsIAgentFactoryV6/IAgentVeTokenV2to support drain flows (addsfounder()and aremoveLpLiquiditysignature), with extensive new tests covering drain behavior, access control, and post-drain trading/graduation protection.Written by Cursor Bugbot for commit 57ea939. This will update automatically on new commits. Configure here.