QuantAMM

Summary

In the UpliftOnlyExample contract, there is a vulnerability in the position limit check that allows users to exceed the intended maximum of 100 positions per account. The current implementation uses a > operator instead of >=, enabling users to create 101 positions when the limit should be 100, directly contradicting the intended business logic.

Vulnerability Details

The vulnerability exists in the position limit validation logic within the UpliftOnlyExample contract. Here's how the issue manifests:

1. The contract maintains a mapping poolsFeeData that tracks positions for each pool and user

2. There is an intended limit of 100 positions per user per pool

3. The current check is implemented as:

The issue arises because:

• The check uses > instead of >=

• When a user has exactly 100 positions, the check passes (100 > 100 is false)

• The new position is then added, resulting in 101 positions

• This bypasses the intended 100-position limit

The validation occurs before the position is added, creating a off-by-one error that allows one extra position beyond the intended limit. Which can lead to a DoS scenario where users cannot access there positions due to the gas cost exceeding what was anticipated for the 100 positions. In addition this allows users to directly bypass the intended limitations set by the protocol.

Impact

DoS of user positions due to gas cost exceeding what was anticipated for the 100 positions. As well as allowing users to directly bypass the intended limitations set by the protocol.

Tools Used

Manual Review

Recommendations

Modify the position limit check to use >= instead of >:

This ensures that users cannot exceed the intended limit.