QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: high

Valid

Donations are sanwichable to steal funds from LP

huntoor

Summary

Large Fees donations are sandwichable in UpliftOnlyExample stealing funds from the deserving actual LP providers

Vulnerability Details

UpLift fees taken from removeLiquidityProportional during onAfterRemoveLiquidity are donated to the pool in stepwise matter,

File: UpliftOnlyExample.sol

555: if (localData.adminFeePercent != 1e18) {

556: // Donates accrued fees back to LPs.

557: _vault.addLiquidity(

558: AddLiquidityParams({

559: pool: localData.pool,

560: to: msg.sender, // It would mint BPTs to router, but it's a donation so no BPT is minted

561: maxAmountsIn: localData.accruedFees, // Donate all accrued fees back to the pool (i.e. to the LPs)

562: minBptAmountOut: 0, // Donation does not return BPTs, any number above 0 will revert

563: kind: AddLiquidityKind.DONATION,

564: userData: bytes("") // User data is not used by donation, so we can set it to an empty string

565: })

566: );

567: }

This allow MEV (on L1) or racing txns to get those values that they don't deserve, basically stealing them from genuine LP providers, then immediately removing the liquidity after

An example of a whale removing liquidity with huge upLift fees donated:

1- Old whale in wETH-USDC Pool having his balance got upLifted 1000%

from 2,500,000 USD/100wETH -> 25,000,000 USD/100wETH
Total value in the Pool is 26,000,000 (whale has most of the pool)

2- upliftFeeBps is set to 5% * 10 (value change) (11,500,000) as fees donated to a pool of 1,000,000

3- a MEV sees the whale liquidity removal and sandwich it (flashloan or use his own funds) add liquidity worth 1,000,000 (having 50% of the pool and getting 50% of the donation)

4- When the MEV submit a withdrawal, He will own (6,750,000 from donation + his own 1 million = 7,750,000)

5- his uplift is 5% * ~8 = 40% = 3,100,000

6- MEV leave the pool with 4,650,000 having a profit of 4,650,000

The above numbered example may have exaggerated numbers only to show the feasibility of the MEV attack and the fee is not enough, attacks can be carried on smaller whales too, the idea stay the same

NOTE!: Its worth mentioning that above i assumed that upliftFeeBps is applied in the whole withdrawal value and not value increase only, thats how the code actually works, but that was another Bug

Assuming that upliftFeeBps is only applied on the value increase, then the attack will be completely easy to be carried by MEV, not requiring large whale % of pool getting out immediately Here is what happens

1- whale in wETH-USDC Pool having his balance got upLifted 500%

from 2,500,000 USD/100wETH -> 12,500,000 USD/100wETH
Total value in the Pool is 100,000,000

2- upliftFeeBps is set to 5% * 5 * 10,000,000 (value increase) (2,500,000) as fees donated to a pool of 87,500,000

3- a MEV sees the whale liquidity removal and sandwich it (flashloan or use his own funds) add liquidity worth 50,000,000 (having ~50% of the pool and getting ~50% of the donation)

4- When the MEV submit a withdrawal, He will own (1,750,000 from donation + his own 50 million = 51,750,000) (2% upLift)

5- his uplift is 5% * ~2/100 = 0.1% = 0.1 * 1,750,000 / 100 = 1750

6- MEV leave the pool with ~51,749,000 having a profit of 1,749,000

In the above second example, there can be small inaccuracies coming from small percentage change and uncertainty of how upLift Fees would actually apply to only upLift value

Impact

Stealing of funds from LP providers

Tools Used

Manual review

Recommendations

implement timelock on LP providing, or implement vesting logic for donation

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_frontrun_donation_and_big_removal

Likelihood: High, Donation is shared between the LP holders. Every removing will use that kind of transaction to collect the uplift fees. Impact: High, Any frontrun can permit to collect a big amount of those fees.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!