QuantAMM

Summary

The UpliftOnlyExample contract is vulnerable to sandwich attacks around Chainlink oracle price updates, allowing attackers to profit from predictable price changes during heartbeat updates. This could lead to value extraction from the protocol over time.

Vulnerability Details

In the UpliftOnlyExample contract, the getPoolLPTokenValue function relies on Chainlink oracle prices to determine deposit values. The vulnerability exists because:

1. Chainlink oracles have predictable update patterns:

   • Updates occur on fixed heartbeat intervals

   • Price deviations up to 0.5% are allowed before forced updates

   • Updates are visible on-chain

2. Attack flow:

1. While fees reduce profitability, the attack remains viable:

   • Can be executed repeatedly on heartbeat updates

   • Can be performed across multiple assets and pools

   • Cumulative profits can be significant over time

Impact

Loss of funds - The protocol gradually loses value to attackers who can reliably extract profits by sandwiching oracle updates.

Tools Used

Manual Review

Recommendations

Several mitigations could be implemented:

1. Use more responsive oracles like Pyth:

2. Implement profit caps on quick withdrawals where if a user withdraws within x time of depositing they can only withdraw the proportional amount up to the original deposit value. So if a user is withdrawing 100% of the nft's value they can get at most 100% of the original deposit value. If they are withdrawing 50% of the nft's value they can get at most 50% of the original deposit value. This would prevent the user from profiting from the price change and instead any profit would be donated to the pool.