Uplift Fee Bypass Through Token Transfer
Summary
The UpliftOnlyExample contract allows users to bypass uplift fees by transferring LP NFTs between their own wallets, as the position value is reset without charging profit fees during transfers.
Vulnerability Details
In the afterUpdate function of UpliftOnlyExample.sol, when an LP token is transferred between addresses, the contract updates the deposit value to the current value without applying any uplift fees:
The vulnerability exists because:
The transfer resets the position's deposit value to the current value
No profit fees are charged during the transfer
Users can maintain their actual position value while avoiding fees by transferring between their own wallets
This creates a significant economic exploit where users can:
Accumulate profits in their position
Transfer the LP token to another wallet they control
Reset their profit tracking without paying any fees
Remove liquidity without paying any fees
Impact
Loss of yield - The protocol and liquidity providers lose fee revenue as users can systematically avoid paying uplift fees on their profits through transfers.
Tools Used
Manual Review
Recommendations
Consider not updating the deposit value during transfers. This would allow profit to persist and but the obligation to pay fees on the recipient. As long as it is documented that the recipient will be charged fees on whatever profit the position has this would be a valid solution.
Lead Judging Commences
finding_afterUpdate_bypass_fee_collection_updating_the_deposited_value
Likelihood: High, any transfer will trigger the bug. Impact: High, will update lpTokenDepositValue to the new current value without taking fees on profit.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.