Day 53 — Improper Zero Mint Check

The lp_to_mint != 0 check in end_deposit_session does not accurately prevent minting zero tokens, as the to_balance conversion may still result in zero despite the non-zero value of lp_to_mint .

Vulnerability Pattern: Business Logic

Severity: Low

Ecosystem: Sui

Protocol: Aftermath Market Making

Auditor: OtterSec

Report:

https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

Report Date: Jan 2025

Description: In end_deposit_session, the check assert!(lp_to_mint != 0 only ensures that the lp_to_mint value, as calculated before the conversion to a fixed-point format ( to_balance ), is non-zero. However, the conversion process itself (specifically the call to ifixed::to_balance ) may still result in a minted amount of zero liquidity provider (LP) tokens, even if the value of lp_to_mint is non-zero prior to conversion.

Recommendation: Perform a validation after the conversion to ensure the minted LP balance is valid and non-zero.

Coding/Auditing Tip: Always validate critical values after all transformations or conversions to ensure they remain within expected ranges and do not unintentionally become zero or invalid.