Fee Reset Through Token Transfer Vulnerability
Summary
The UpliftOnlyExample contract allows users to reset their uplift fees to a lower rate by transferring LP tokens to another wallet when fees are decreased, resulting in potential loss of yield for fee recipients.
Vulnerability Details
In the afterUpdate function of the UpliftOnlyExample contract, when an LP token is transferred between addresses, the contract updates the upliftFeeBps for the token to the current global fee rate:
This creates an exploit path where users can avoid paying higher historical fees by:
Waiting for the admin to lower the global
upliftFeeBpsfee rateTransferring their LP tokens to another wallet they control
Having their fee rate reset to the new lower rate, avoiding the previous higher rate
Impact
Loss of yield - Fee recipients (like liquidity providers) lose expected yield when users exploit this fee reset mechanism to avoid paying their original higher fee rates.
Tools Used
Manual Review
Recommendations
Remove the fee rate update during token transfers to maintain the original fee rate associated with the deposit:
This ensures that the original fee rate stays with the LP position regardless of transfers between addresses, preventing fee avoidance through transfers.
Lead Judging Commences
finding_afterUpdate_update_upliftFeeBps
Likelihood: High, any transfer will trigger the bug. Impact: Low, will update upliftFeeBps to the new current value which will increase or decrease the fees, but at the moment there is no setter for upliftFeeBps ! So it won't change anything (but this setter should exists according the sponsor)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.