Team Finance: Flawed migrate() function — Uniswap V2→V3 migration with skewed price manipulation
Team Finance's "Industry Leader In Project Security" lost $15.8M because their audited migrate() function let anyone create a Uniswap V3 pool at a skewed price and pocket the difference from locked liquidity.
Summary #
Team Finance suffered a Liquidity Lock / DAO Tooling on 2022-10-27, resulting in a loss of approximately $16M.
What happened #
Team Finance's "Industry Leader In Project Security" lost $15.8M because their audited migrate() function let anyone create a Uniswap V3 pool at a skewed price and pocket the difference from locked liquidity.
Linked factors #
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — The V2→V3 migration feature was a relatively recent addition] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — The V2→V3 migration feature was a relatively recent addition]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — migrate() was in Zokyo's audit scope but the authorization bypass and price manipulation vulnerability were missed]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown — Team Finance team details not widely public]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — The V2→V3 migration feature was a relatively recent addition]