QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: medium

Valid

DOS Attack Through Malicious Position Transfers

0xlandlady

Summary

The afterUpdate function in the UpliftOnlyExample contract allows unlimited position transfers to a target address, enabling a DOS attack that can prevent users from removing liquidity or transferring their legitimate positions.

Vulnerability Details

In the UpliftOnlyExample contract, the afterUpdate function is responsible for handling position transfers between addresses. When a position is transferred, it adds the position's fee data to the recipient's array:

function afterUpdate(address _from, address _to, uint256 _tokenID) public {

// ... existing code ...

if (tokenIdIndexFound) {

if (_to != address(0)) {

poolsFeeData[poolAddress][_to].push(feeDataArray[tokenIdIndex]);

}

The vulnerability lies in the fact that there is no limit on how many positions can be transferred to a single address. An attacker can exploit this by:

Waiting for a user to create a legitimate position
Creating multiple small (dust) positions
Transferring all these dust positions to the target user's address

When the victim tries to remove liquidity or transfer their legitimate position, the contract must iterate through all positions to process the request. With enough dust positions, this operation will consume more gas than the block limit allows, causing the transaction to revert.

Impact

DOS - Users can be permanently prevented from removing liquidity or transferring their positions, effectively locking their funds in the protocol. This attack is relatively inexpensive to execute since it only requires creating multiple small positions.

Tools Used

Manual Review

Recommendations

Implement a maximum limit on the number of positions that can be held by a single address:

function afterUpdate(address _from, address _to, uint256 _tokenID) public {

// ... existing code ...

if (tokenIdIndexFound) {

if (_to != address(0)) {

require(

poolsFeeData[poolAddress][_to].length < maxAmountOfPositions,

"Too many positions"

);

}

This change ensures that no address can accumulate enough positions to cause gas-related DOS attacks while still allowing legitimate users to manage a reasonable number of positions.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_afterUpdate_does_not_check_limit_NFT_per_user

Likelihood: Medium/High, anyone can receive an unlimited NFT number but will cost creation of LP tokens and sending them. Impact: Low/Medium, DoS the afterUpdate and addLiquidityProportional but will be mitigable on-chain because a lot of those NFT can be burn easily in onAfterRemoveLiquidity.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.