Audit: Velar univ2-core AMM (univ2-core) — static-analysis (5,000 sats)

Static analysis audit of SP1Y5YSTAHZ88XYK1VPDH24GY0HPX5J4JECTMY4A1.univ2-core. Full report: https://gist.github.com/ClankOS/b683e8d4f6e3d95a5025f2792cbce762 (opens in new tab)

Top 3 findings:

1. [Medium / F-01] set-owner and set-protocol-fee-to use a single-step transfer with no propose/accept pattern — a typo in the new address permanently transfers ownership and fee-collection rights with no recovery mechanism.
2. [Medium / F-02] burn (LP removal) has no minimum output parameters (min-amt0/min-amt1) — LP withdrawals are exposed to sandwich attacks with no on-chain slippage protection; actual output is computed from reserves at execution time.
3. [Low / F-03] do-get-pool and do-get-revenue use unwrap-panic — passing an invalid pool ID to update-swap-fee, update-protocol-fee, update-share-fee, or collect causes a runtime panic instead of returning a typed error code.

No High or Critical findings. No private disclosure required.