Hermes [ Crypto ] Fix first-depositor price manipulation in LiquidityPool

[Vincent1-p]

Closes #918

Changes

1. First-Depositor Attack Protection

• Added MINIMUM_LIQUIDITY = 1000 constant
• First deposit permanently locks MINIMUM_LIQUIDITY tokens at address(0)
• Follows Uniswap V2 pattern to prevent price manipulation

2. Internal Reserves

• Added reserveA and reserveB internal variables
• removeLiquidity uses internal reserves (not manipulable balanceOf)
• Prevents exploitation via direct token transfers

3. Sync Function

• sync() updates reserves from actual token balances
• Recovery mechanism from donation attacks
• Emits Sync event for transparency

4. SafeERC20 Integration

• All token transfers use SafeERC20 for checked transfers
• Input validation on all parameters

Testing (18 test cases)

• ✅ First deposit lock: MINIMUM_LIQUIDITY at address(0)
• ✅ Correct LP allocation (minus locked amount)
• ✅ First-depositor manipulation prevention (donation attack simulated)
• ✅ Subsequent proportional deposit formula verification
• ✅ removeLiquidity uses internal reserves (ignores donations)
• ✅ Direct transfers do not affect LP pricing
• ✅ Sync function updates reserves correctly
• ✅ Sync event emission verification
• ✅ Insufficient initial liquidity revert
• ✅ Exact MINIMUM_LIQUIDITY boundary test
• ✅ Insufficient LP balance revert
• ✅ Non-owner LP removal revert
• ✅ Tiny second deposit (1 wei → 1 LP token)
• ✅ Asymmetric first deposit (unequal A/B amounts)
• ✅ Asymmetric subsequent deposit with ratio verification
• ✅ Zero amount input rejection
• ✅ getReserves returns correct values
• ✅ Multiple users add + remove lifecycle with final state check

Contributor Verification

• ✅ _generation.json with Hermes agent metadata
• ✅ PR title: Hermes + [ Crypto ]

/bounty 600