How to Conduct Due Diligence on a New DEX Pool

Detailed Instructions

Begin by identifying the official contract addresses for the pool's factory, router, and pair contracts. This information is typically found on the DEX's official documentation, GitHub repository, or announcements. For a pool on a network like Ethereum, use a block explorer such as Etherscan to verify the addresses. For example, you might find a Uniswap V2-style factory at 0x5C69bEe701ef814a2B6a3EDD4B1652CB9cc5aA6f. Once you have the addresses, you must obtain the verified source code. On Etherscan, navigate to the contract's page and check the 'Contract' tab for the Solidity source. If it's not verified, this is a major red flag. For a more direct approach, clone the project's official GitHub repository to access the latest codebase.

• Sub-step 1: Search the project's official docs and GitHub for the canonical contract addresses.
• Sub-step 2: Cross-reference these addresses on a block explorer to confirm they are verified and have legitimate transaction history.
• Sub-step 3: Download or view the verified Solidity source code from the explorer or repository.

Tip: Always be wary of unofficial links or forks. Bookmark the official sources to avoid phishing attempts.

Detailed Instructions

Focus your analysis on the core pool mechanics such as the swap, addLiquidity, removeLiquidity, and mint/burn functions. You must check for proper access controls—ensure sensitive functions like feeTo setter or ownership transfers are guarded by modifiers like onlyOwner. Look for reentrancy guards (e.g., OpenZeppelin's ReentrancyGuard) on functions that transfer funds. A critical check is verifying the mathematical correctness of the constant product formula x * y = k and fee calculations. For example, inspect the swap function to ensure the output amount is calculated correctly and fees are deducted properly. Use a tool like Slither or manual review to scan for known vulnerabilities.

• Sub-step 1: Trace the flow of user funds through swap and liquidity functions, noting any external calls.
• Sub-step 2: Verify all state-changing functions have appropriate modifiers to prevent unauthorized access.
• Sub-step 3: Manually audit the math in key functions, checking for potential overflow/underflow (though Solidity 0.8+ mitigates this).

Tip: Compare the code against a known, audited codebase (like Uniswap V2 core) to spot significant deviations.

Detailed Instructions

Tokenomics validation is crucial for understanding the pool's sustainability. First, locate the fee parameters. In many AMMs, a swapFee (e.g., 0.3%) and a protocolFee might be present. Check how these fees are collected and distributed—are they sent to a treasury, burned, or distributed to liquidity providers (LPs)? Review the liquidity provider (LP) token contract to understand its minting/burning logic and ensure it correctly represents pool share. For instance, examine the mint function in the pair contract to see if it properly calculates LP tokens based on deposited assets:

solidityCopy
function mint(address to) external lock returns (uint liquidity) {
    // ...
    liquidity = Math.min(amount0.mul(_totalSupply) / _reserve0, amount1.mul(_totalSupply) / _reserve1);
}

Also, check for any minting caps, timelocks, or admin keys that could arbitrarily inflate the supply.

• Sub-step 1: Identify all fee-related state variables (e.g., feeTo, feePercent) and trace where the fees are sent.
• Sub-step 2: Analyze the LP token's total supply mechanics to ensure it's not susceptible to manipulation.
• Sub-step 3: Look for any vesting schedules, emission rates, or admin controls over the economics.

Tip: A fee structure that sends too much to an admin-controlled address can be a centralization risk.

Detailed Instructions

Move from static analysis to dynamic testing. Use a development framework like Hardhat or Foundry to deploy the contracts to a local or testnet environment. Write and run test scripts that simulate all major user interactions. For a DEX pool, you must test: adding/removing liquidity, swapping tokens, and collecting fees. Use Foundry's forge test to write comprehensive tests. For example, a simple swap test might look like:

solidityCopy
// Example Foundry test snippet
function test_SwapExactTokensForTokens() public {
    // Setup: Provide liquidity first
    addLiquidity(tokenA, tokenB, 100 ether, 100 ether);
    // Act: Perform a swap
    router.swapExactTokensForTokens(1 ether, 0, path, address(this), block.timestamp);
    // Assert: Check recipient received tokens
    assertGt(tokenB.balanceOf(address(this)), 0);
}

Additionally, use a tool like Tenderly or a forked mainnet environment to simulate transactions with real-world state and gas estimates. This helps uncover edge cases and validate that the contract behaves as expected under various market conditions.

• Sub-step 1: Clone the repo and set up a Hardhat/Foundry project with the contract dependencies.
• Sub-step 2: Write unit tests for all core functions, including edge cases like minimal liquidity or maximum swaps.
• Sub-step 3: Deploy to a testnet (like Sepolia) and perform manual interactions via a front-end or direct calls to confirm usability.

Tip: Simulating a "rug pull" scenario by testing what happens if the owner calls a malicious function can reveal exit scams.

Detailed Instructions

First, you must locate and understand the pool's smart contract code to identify all fee-related functions. This is critical as fees are not always transparent on the front-end. Start by finding the contract address on a block explorer like Etherscan for Ethereum-based pools.

• Sub-step 1: Locate the contract. Find the pool's factory or router contract, then trace to the specific pool address. For a Uniswap V3-style pool on Ethereum, you might start with the factory at 0x1F98431c8aD98523631AE4a59f267346ea31F984.
• Sub-step 2: Examine fee variables. Look for state variables like fee, protocolFee, totalFees, or swapFee. Check if fees are static or dynamic (e.g., based on volatility).
• Sub-step 3: Review fee distribution. Trace where collected fees are sent. Are they accrued to liquidity providers (LPs) in real-time, claimed later, or is a portion taken by a protocol treasury?

Tip: Use the contract's Read Contract tab on Etherscan to call view functions. For example, calling fee() on a pool contract will return the basis points (e.g., 3000 for a 0.3% fee).

solidityCopy
// Example query to check a pool's fee (conceptual)
// pool.fee() returns uint24 representing fee in hundredths of a bip (1/10000 of 1%)
uint24 poolFee = IUniswapV3Pool(poolAddress).fee();
// A return value of 3000 means a 0.3% (3000/1000000) fee per swap.

Detailed Instructions

Annual Percentage Rate (APR) is a key metric, but it must be broken down into its core components: trading fee APR and incentive token APR. The trading fee APR is derived from pool volume and your share of liquidity, while the incentive APR comes from external token emissions.

• Sub-step 1: Calculate fee-based APR. Estimate using the formula: (Annual Trading Volume * Fee Percentage) / Total Value Locked (TVL). Use DEX analytics sites like Dune Analytics or DeFiLlama to get 24h volume and TVL, then annualize.
• Sub-step 2: Investigate liquidity mining. Check if the pool offers additional token rewards. Find the staking or gauge contract address and query the emission rate (e.g., rewards per second).
• Sub-step 3: Assess reward sustainability. Evaluate the incentive token's inflation schedule and market cap. A high APR driven by massive, unsustainable emissions is a red flag.

Tip: For a pool on a chain like Arbitrum, you might query a gauge contract to see rewards. High, short-term APRs (>100%) are often unsustainable and may indicate a "farm and dump" scheme.

javascriptCopy
// Example using ethers.js to read reward rate from a gauge
const gaugeContract = new ethers.Contract(gaugeAddress, abi, provider);
const rewardRate = await gaugeContract.rewardRate(); // tokens per second
const totalSupply = await gaugeContract.totalSupply(); // LP tokens staked
// APR = (rewardRate * secondsPerYear * tokenPrice) / (totalSupply * lpTokenPrice)

Detailed Instructions

Impermanent Loss is the opportunity cost incurred when the value of your deposited assets changes compared to simply holding them. It's amplified in pools with volatile or correlated assets. Your due diligence must project whether collected fees will offset this risk.

• Sub-step 1: Simulate IL scenarios. Use online calculators (e.g., Daily Defi, CoinGecko) to model IL for different price divergence levels (e.g., +100%, -50% for one asset). Input the pool's fee tier.
• Sub-step 2: Compare fee income to IL. For the simulated volume, calculate the fee income your share would earn. Determine the break-even volume needed for fees to cover IL at various divergence points.
• Sub-step 3: Analyze pool composition. A stablecoin pair (e.g., USDC/USDT) has minimal IL but low fees. An exotic altcoin/ETH pair may have high potential fees but extreme IL risk.

Tip: For a balanced 50/50 ETH/USDC pool, a 2x price change in ETH leads to ~5.7% IL. You would need substantial trading volume generating fees greater than this loss to profit.

pythonCopy
# Simplified Python logic for break-even analysis
fee_rate = 0.003 # 0.3%
il_percentage = 0.057 # 5.7% IL from 2x price move
your_liquidity_value = 10000 # USD
required_fee_income = your_liquidity_value * il_percentage # $570
# Required Volume = Required Fee Income / Fee Rate
required_volume = required_fee_income / fee_rate # $190,000

Detailed Instructions

This step ensures the smart contracts handling fees and incentives are not vulnerable to exploits or admin abuse. Focus on timelocks, multisig requirements, and upgradeability.

• Sub-step 1: Check for admin controls. Review the fee-setting functions. Is there an owner or governance address that can change fees arbitrarily? If so, is it a timelocked contract or a secure multisig (e.g., Gnosis Safe with 5/9 signers)?
• Sub-step 2: Audit reward contract risks. If there are liquidity mining rewards, inspect the distributor contract. Can rewards be rug-pulled? Look for functions like emergencyWithdraw or setRewardRate that could be misused.
• Sub-step 3: Review audit history. Search for the protocol's audit reports from firms like CertiK, OpenZeppelin, or Trail of Bits. Check if findings related to fee mechanics were addressed. Also, monitor social channels for any unusual governance proposals about fee changes.

Tip: On Etherscan, check the Contract tab for the "Write as Proxy" warning, which indicates upgradeability. Verify the implementation contract and who controls the proxy admin.

bashCopy
# Using cast (Foundry) to check a contract's owner
cast call <POOL_CONTRACT_ADDRESS> "owner()" --rpc-url <RPC_URL>
# Or check if a function is protected by a timelock
cast call <TIMELOCK_ADDRESS> "getMinDelay()" --rpc-url <RPC_URL>
# A non-zero delay (e.g., 172800 for 2 days) is a good sign.