QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Inadequate Check in `removeLiquidityProportional` Allows Malicious Attacker to Withdraw More Than Their Deposit

bladesec

Title

Inadequate Check in removeLiquidityProportional Allows Malicious Attacker to Withdraw More Than Their Deposit

Summary

The removeLiquidityProportional function lacks proper validation of withdrawal amounts, allowing malicious attackers with minimal deposits to exploit the system and withdraw more than they are entitled to.

Vulnerability Details

Here's the implementation of removeLiquidityProportional function in UpliftOnlyExample contract:

function removeLiquidityProportional(

uint256 bptAmountIn,

uint256[] memory minAmountsOut,

bool wethIsEth,

address pool

) external payable saveSender(msg.sender) returns (uint256[] memory amountsOut) {

uint depositLength = poolsFeeData[pool][msg.sender].length;

if (depositLength == 0) {

revert WithdrawalByNonOwner(msg.sender, pool, bptAmountIn);

}

// Do removeLiquidity operation - tokens sent to msg.sender.

amountsOut = _removeLiquidityProportional(

pool,

address(this),

msg.sender,

bptAmountIn,

minAmountsOut,

wethIsEth,

abi.encodePacked(msg.sender)

);

}

As demonstrated, the removeLiquidityProportional function verifies if the caller has deposits in the specified pool by checking the length of poolsFeeData[msg.sender].

However, this check can be bypassed if an attacker makes a minimal deposit. Once bypassed, the attacker can exploit the vulnerability to withdraw excessive funds from the pool, potentially draining it entirely.

Impact

The inadequate validation in the removeLiquidityProportional function allows attackers to bypass checks by making minimal deposits. This enables them to exploit the system and withdraw excessive funds, potentially draining the entire pool and causing significant financial losses to the protocol and its users.

Tools Used

Manual Review

Recommendations

Implement stricter validation in the removeLiquidityProportional function to ensure that withdrawal amounts are directly correlated to the user's actual deposit.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid_removing_liquidity_never_check_if_amount_is_owned_by_the_sender

Read bugs with that tag: invalid_onAfterRemoveLiquidity_loop_underflow Because of that implementation, trying to remove more will lead to an underflow.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.