QuantAMM

Summary

LP NFT's are allowed to be transferred and put onto 3rd party exchanges. Complex NFT's such as these are able to be sold since the NFT itself holds value beyond the actual token (the LP position). This allows for a front running attack where the attacker can front-run the transfer and remove 99% of the positions liquidity before the transfer is complete. Thus giving the attacker 99% of the positions value + the proceeds from selling the LP NFT.

Vulnerability Details

The sequence of events is as follows:

1. Creating a legitimate LP position

2. Put the NFT on a 3rd party exchange

3. Monitor the mempool for any transactions that will transfer the NFT to a victim

4. Front-running the transfer transaction to:

   • Extract most of the position's value through removeLiquidityProportional

   • Allow the transfer to complete with a nearly worthless position

5. The victim receives an LP position that appears valid but has been drained of value

6. The attacker now owns 99% of the positions value + the proceeds from selling the LP NFT.

This does not need to be through a third party exchange. It can be done through any other method involves transferring the LP NFT and expecting it to be worth a certain amount of value.

For reference here is the same attack being reported in other protocols:
wenwin
footium

Impact

Loss of funds

Tools Used

Manual Review

Recommendations

Consider removing the ability to transfer LP NFT's if their original amount is greater then the current amount. This would indicate that the position is less then it was originally, which is required for this attack to take place.