Harden transfers (SafeERC20) + safe polish; sync docs

[0xSoftBoi]

Correctness + safe polish on the AMM (no API/signature changes), then docs synced to match. All 18 Foundry tests pass unchanged (incl. invariant fuzz: 256 runs × 128k calls, 0 reverts).

Code (src/QuantDEX.sol)

• SafeERC20 for all six transfers — closes SWC-104. Tokens that return false or no bool (USDT/BNB) now revert instead of silently succeeding. (No signature change.)
• CEI consistency — addLiquidity now writes effects before pulling tokens, matching swap/removeLiquidity.
• DRY — addLiquidity/removeLiquidity use the existing _poolKey helper.
• Comment fixes — drop the wrong SWC-120 oracle ref (that's weak randomness; cite samczsun); correct the _sqrt NatSpec (the rounding is not a security mechanism — internal reserve accounting is what closes inflation).
• Document fee-on-transfer / rebasing tokens as unsupported.

Tests

Only a dead is IERC20 reference removed from two test doubles (forced by switching the contract to OZ's IERC20 for SafeERC20). No logic changed.

Docs (SECURITY.md, README.md)

Remove the sqrt/"O(N²) quadratic" inflation misattribution and the SWC-120 reference; credit internal reserve accounting; mark the Wake unchecked-return/unsafe-erc20 findings Fixed; add the fee-on-transfer limitation. Matches the blog post.

🤖 Generated with Claude Code

---

---

Summary by cubic

Hardened ERC‑20 transfers with @openzeppelin/contracts SafeERC20 and aligned addLiquidity with CEI; no API/signature changes. Docs now correctly attribute the inflation defense to internal reserve accounting and note that fee‑on‑transfer/rebasing tokens are unsupported.

• Refactors

  • All six transfers use SafeERC20 (safeTransfer*); tokens returning false or no value now revert (closes SWC‑104).
  • addLiquidity credits state before interactions; addLiquidity/removeLiquidity use _poolKey; tests only drop unused IERC20 refs.

• Dependencies

  • Use IERC20 and SafeERC20 from @openzeppelin/contracts.

^{Written for commit 1985e5f. Summary will update on new commits.}

[ecc-tools]

Analyzing 200 commits...

[ecc-tools]

Analysis Complete

Generated ECC bundle from 1 commits | Confidence: 50%

View Pull Request #3

Repository Profile

Attribute	Value
Language	TypeScript
Framework	Not detected
Commit Convention	freeform
Test Directory	separate

Changed Files (6)

Metric	Value
Files changed	6
Additions	65
Deletions	47

Top hotspots

Path	Status	+/-
src/QuantDEX.sol	modified	+35 / -26
SECURITY.md	modified	+20 / -18
README.md	modified	+8 / -0
test/Attacks.t.sol	modified	+1 / -1
test/InvariantTest.t.sol	modified	+1 / -1

Top directories

Directory	Files	Total changes
src	1	61
.	2	46
test	3	5

Analysis Depth Readiness (commit-history, 21%)

ECC Tools uses this to decide whether recommendations should stay at commit-history/setup guidance or expand into CI, security, harness, reference-set, AI-routing, and team backlog work.

Area	Status	Evidence / Next Step
Commit history	Partial	1 commits sampled
CI/CD signals	Missing	Add workflow files or CI troubleshooting evidence so ECC Tools can reason about pipeline setup.
Security evidence	Ready	SECURITY.md
Harness configuration	Missing	Add Claude, Codex, OpenCode, Zed, dmux, MCP, plugin, or cross-harness config evidence for harness-agnostic recommendations.
Reference/eval evidence	Missing	Add fixtures, golden traces, reference sets, or evaluator benchmarks so deeper recommendations have regression evidence.
AI routing and cost controls	Missing	Add model-routing, budget, usage, or cost-control files before relying on AI-heavy automation recommendations.
Team handoff and project tracking	Missing	Add roadmap, runbook, project, Linear, or follow-up tracking docs so generated work can land in a team queue.

Reference Set Readiness (1/7, 14%)

Area	Status	Evidence / Next Step
Deep analyzer corpus	Missing	Add analyzer fixture, golden, benchmark, or reference-set files that can catch analyzer regressions.
RAG/evaluator comparison	Missing	Add retrieval or evaluator reference-set comparison fixtures with expected ranking behavior.
PR salvage/review corpus	Missing	Add stale-PR, review-thread, reopen-flow, or salvage reference cases for queue cleanup automation.
Discussion triage corpus	Missing	Add public discussion triage fixtures, golden cases, or reference sets for informational, answered, and no-response classifications.
Harness compatibility	Missing	Add cross-harness, adapter-compliance, or harness-audit evidence for Claude, Codex, OpenCode, Zed, dmux, and agent surfaces.
Security evidence	Present	SECURITY.md
CI failure-mode evidence	Missing	Add captured CI failure logs, dry-run fixtures, or troubleshooting docs for common workflow failure modes.

Generated Instincts (16)

Domain	Count
git	2
code-style	9
testing	4
architecture	1

After merging, import with:

/instinct-import .claude/homunculus/instincts/inherited/quantgroup-instincts.yaml

Files

• .claude/ecc-tools.json
• .claude/skills/quantgroup/SKILL.md
• .agents/skills/quantgroup/SKILL.md
• .agents/skills/quantgroup/agents/openai.yaml
• .claude/identity.json
• .codex/config.toml
• .codex/AGENTS.md
• .codex/agents/explorer.toml
• .codex/agents/reviewer.toml
• .codex/agents/docs-researcher.toml
• .claude/homunculus/instincts/inherited/quantgroup-instincts.yaml

---

_{ECC Tools | Everything Claude Code}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.