Single Storage Variable Used for Both Swap and Uplift Fees
Summary
The UpdateWeightRunner contract incorrectly uses the same storage variable quantAMMSwapFeeTake for both swap fees and uplift fees, leading to incorrect fee calculations in the UpliftOnlyExample contract.
Vulnerability Details
In UpdateWeightRunner:
Both
setQuantAMMUpliftFeeTake()andsetQuantAMMSwapFeeTake()modify the same storage variablequantAMMSwapFeeTakegetQuantAMMUpliftFeeTake()returnsquantAMMSwapFeeTake
In UpliftOnlyExample:
Line 331: Retrieves uplift fee using
getQuantAMMUpliftFeeTake()Line 519: Uses the same function for swap fee calculations
This means both uplift fees and swap fees will always be identical, which is likely not the intended behavior, (evidenced from the two setter and getter functions too)
Impact
Incorrect fee calculations as uplift fees and swap fees cannot be set independently
Tools Used
Manual Review
Recommendations
1- Add separate storage variable for uplift fees:
2- Update getter functions to return correct variables:
3- Ensure setter functions modify their respective variables
Lead Judging Commences
finding_quantAMMSwapFeeTake==quantAMMUplfitFeeTake
Likelyhood: High, calling setters or getters Impact: Low/Medium, both getters return `quantAMMSwapFeeTake` and `setQuantAMMUpliftFeeTake` modify `quantAMMUplfitFeeTake`. Real impact: those 2 values will be always the same.
Appeal created
finding_quantAMMSwapFeeTake==quantAMMUplfitFeeTake
Likelyhood: High, calling setters or getters Impact: Low/Medium, both getters return `quantAMMSwapFeeTake` and `setQuantAMMUpliftFeeTake` modify `quantAMMUplfitFeeTake`. Real impact: those 2 values will be always the same.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.