I have thoroughly analyzed the provided `ProgressiveCurve.sol` and its related mathematical logic. Based on the Code4rena/Secure3 severity rubric, I have **zero findings** to report. The contract implements the integral pricing model for a linearly progressive bonding curve correctly and safely. Below is a detailed breakdown of the checks performed, why the code is secure, and false positive justifications. --- ### What I Checked (Zero Findings Justification) 1. **Bonding Curve Math & Integral Accuracy:** The contract correctly computes pricing using the continuous integral of the linear curve $P = S \times \text{SLOPE}$. The total reserve area under the curve is mathematically $A(S) = \frac{1}{2} \cdot \text{SLOPE} \cdot S^2$. The code implements this precisely in `previewMint` and `_convertToAssets` as `(S_{next}^2 - S^2) * HALF_SLOPE`. 2. **EIP-4626 Rounding Symmetries:** The implementation properly applies conservative rounding favorable to the protocol, satisfying standard vault constraints and preventing round-trip arbitrages: * `previewMint` (user buys shares): Uses `PCMath.squareUp` and `PCMath.mulUp` to **round up** the asset cost to the user. * `_convertToAssets` (user redeems shares): Uses `PCMath.square` and `mul` (truncate/round down) to **round down** the assets yielded back to the user. * `previewWithdraw` (user specifies exact assets out): Uses `divUp` to **round up** the shares deducted from the user. * `_convertToShares` (user specifies exact assets in): Uses `div` (round down) and `sqrt` (round down) to **round down** the shares given to the user. 3. **Inflation / Donation Attacks:** The curve logic relies strictly on `totalShares` to compute state transitions and pricing. Although `totalAssets` is passed to the functions, it is completely ignored in the pricing math. This breaks classic ERC-4626 donation attacks (where attackers send raw assets to the vault to inflate share prices) because the progressive curve rigidly prices shares based on *supply*, not the collateral ratio. 4. **Overflows / Extreme Slopes:** The constructor initializes `MAX_SHARES` and limits operations bounded to `uMAX_UD60x18`. For any reasonable slope values (and implicitly bound up to roughly $10^{36}$), the total shares squared and maximum asset math safely fit within the `UD60x18` capacity constraints ($~1.15 \times 10^{77}$) avoiding implicit reverts. 5. **Div-by-Zero and Granularity:** The initializer correctly enforces `slope18 == 0 || slope18 % 2 != 0`, guaranteeing that `HALF_SLOPE` retains exact precision and that divide-by-zero is impossible. --- ### Slither False Positives The output provided by Slither relies completely on upstream mathematical library issues, none of which affect `ProgressiveCurve.sol` directly. * **`incorrect-exp` & `incorrect-shift`:** Slither flags the bitwise `^` (XOR) and bit-shifting syntax used inside `solady/FixedPointMathLib.sol`. Solady is highly aggressively optimized and correctly uses assembly bitwise operations (not exponentiation). These are well-known solady FPs. * **`divide-before-multiply`:** Slither complains about divisions mathematically ordered before multiplication in Solady's approximation loops (e.g. `expWad`/`lambertW0Wad`). These are carefully bounded numerical approximations where intermediate ordering prevents overflow, not rounding-error bugs. * **`assembly`:** Flags `solady` and `openzeppelin` components for using inline assembly, which is required for their gas optimizations. * **`pragma`:** Notice indicating Solady, PRB math, and `ProgressiveCurve.sol` use differing versions (`^0.8.4` vs `>=0.8.19` vs `0.8.29`). Because the protocol is evidently compiling on `0.8.29`, no deprecated bug surfaces from older compilers. * **`dead-code` & `cyclomatic-complexity`:** Assorted noise triggered by PRBMath having functions imported but not utilized by your individual contract, which has zero deployment gas impact. --- ### High-Confidence Observations * **Mathematical exactness on deltas:** Because Solidity limits operate without IEEE-754 floating precision truncation, large initial share magnitudes ($s$) combined with tiny share mints (e.g., `minShare=1e6`) calculate exact integrals via difference of squares correctly, losing zero significant digits on delta increments. * **Valid Restrictive Withdrawals:** `previewWithdraw` can analytically revert on exact maximum mathematical bounds of `square(s)` because of its application of `divUp(assets)`. This strict implicit bound is desirable: it reverts users if they ask for fractional wei more than the exact down-rounded valuation of their shares limits. Users must interface symmetrically via redeem in terminal cases. * **Initialization robustness:** Validating `slope18 % 2 == 0` is an unusually thorough, positive check indicating strong awareness of parity truncation risks in `wrap(slope18 / 2)`.