QuantAMM

Summary

The UpliftOnlyExample.sol contains a potential Array Index Out of Bounds or Negative Index vulnerability in the loop that iterates over feeDataArray in the onAfterRemoveLiquidity function. This vulnerability could lead to accessing invalid memory locations, causing unintended behavior, potential reverts, or unexpected contract execution. The issue arises from improper handling of array indexing when the loop reaches index 0.

Affected Code:

https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol#L471

Vulnerability Details

• In the loop above, the variable i is used to iterate over feeDataArray in reverse, starting from the last element and decrementing towards 0.

• However, since i is of type uint256 (an unsigned integer), it cannot hold negative values. When i reaches 0, the subsequent decrement --i will cause i to underflow and wrap around to a very large number (2^256 - 1), which is not a valid index in the array.

• This causes :

  1. Out of Bounds Access: The array index could exceed the bounds of the array.

  2. Infinite Loop: The loop may never terminate if it continues to decrement i past 0, causing the contract to enter an infinite loop.

Impact

It causes the loop to attempt accessing an invalid index (i >= 0 underflow), leading to an infinite loop or a revert due to invalid memory access. This could result in gas exhaustion, causing the transaction to fail, that disrupt the fee distribution logic, potentially allowing for incorrect fee calculations or loss of liquidity data.

Tools Used

Manually source code review.

Recommendations

To fix this issue, the loop condition should be modified to prevent underflow when i reaches 0. A proper solution would involve:

1. Checking if the array is empty (feeDataArrayLength == 0) before the loop starts.

2. Modifying the loop to ensure i stops at 0 and does not attempt to decrement below it.

Here is the fixed code: