Underflow in `removeLiquidity` function when doing the fee calculation loop
Vulnerability Details
The UpliftOnlyExample contract manages liquidity positions using an NFT-based system where users can deposit assets and receive an NFT representing their liquidity position. When users withdraw their liquidity, the contract calculates fees based on price changes since deposit time, using a FILO (First In, Last Out) order through a feeData array that tracks all deposits.
During the removeLiquidity operation, the contract processes fees by iterating through the feeData array in reverse order, starting from the most recent deposit. This iteration happens in the following vulnerable code:
The vulnerability occurs because when i reaches 0 and --i executes, it will underflow since this operation is not protected by Solidity's underflow checks in the loop condition. This causes the transaction to revert due to Solidity 0.8.x's arithmetic safety checks.
This means that users who need to perform through the last item of the array to remove their liquidity will suffer a permanent DoS as the transaction will revert whenever they try to remove liquidity.
Impact
DOS - Users cannot remove their liquidity whenever the array reaches position 0 to deduct the amount left.
Tools Used
Manual Review & Foundry
Recommendations
Decrement the iinside the loop.
Lead Judging Commences
invalid_onAfterRemoveLiquidity_loop_underflow
That’s definitely not the best way to handle that but there is indeed no impact. If someone tries to get more than their deposits, it must revert, and thanks to that "fancy mistake"(or genius code ?), it does.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.