QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: medium
Valid

Reuse of the Same Variable for Uplift Fee and Swap Fee

TheKhans

Summary

The protocol charges both a swapFee and an upliftFee, each managed through its own setter function. However, both setter functions update the same variable, quantAMMSwapFeeTake, leading to inaccuracies in fee handling.

Vulnerability Details

By using the same variable for two different types of fees (upliftFee and swapFee), any updates to one fee will directly affect the other. This design prevents the quantAmmAdmin from setting distinct values for each fee, causing unintended fee configurations.
Let's review the Swapfee Setter Function.

contracts/UpdateWeightRunner.sol:126
126: function setQuantAMMSwapFeeTake(uint256 _quantAMMSwapFeeTake) external override {
127: require(msg.sender == quantammAdmin, "ONLYADMIN");
128: require(_quantAMMSwapFeeTake <= 1e18, "Swap fee must be less than 100%");
129: uint256 oldSwapFee = quantAMMSwapFeeTake;
130: quantAMMSwapFeeTake = _quantAMMSwapFeeTake;
133: }
134:

Here, we set _quantAMMSwapFeeTake, which can also be configured using the setQuantAMMUpliftFeeTake function.

contracts/UpdateWeightRunner.sol:141
141: function setQuantAMMUpliftFeeTake(uint256 _quantAMMUpliftFeeTake) external{
142: require(msg.sender == quantammAdmin, "ONLYADMIN");
143: require(_quantAMMUpliftFeeTake <= 1e18, "Uplift fee must be less than 100%");
144: uint256 oldSwapFee = quantAMMSwapFeeTake;
145: quantAMMSwapFeeTake = _quantAMMUpliftFeeTake;

Consider the following scenario:

  1. The quantAMM admin sets the upliftFee to 50%, resulting in _quantAMMSwapFeeTake = 0.5e18.

  2. The quantAMM admin then sets the swapFee to 20%, updating _quantAMMSwapFeeTake = 0.2e18.

  3. When a user removes liquidity, the getQuantAMMUpliftFeeTake function will return 0.2e18.

  4. This creates a 30% fee loss for the protocol. However, on the flip side it also translates to a loss for the end user.

Impact

Using the same variable for both upliftFee and swapFee can result in a loss, either for the protocol or the end user.

Tools Used

Manual Review

Recommendations

To avoid conflicts and potential losses, create a dedicated variable for the swap fee (e.g., swapFeeBps) instead of reusing upliftFeeBps for multiple fee types.

--- a/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol
+++ b/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol
@@ -122,6 +122,7 @@ contract UpdateWeightRunner is Ownable2Step, IUpdateWeightRunner {
/// @notice The % of the total swap fee that is allocated to the protocol for running costs.
uint256 public quantAMMSwapFeeTake = 0.5e18; // @note Fee set to 50% in init
+ uint256 public quantAMMUpliftFeeTake = 0.3e18;
function setQuantAMMSwapFeeTake(uint256 _quantAMMSwapFeeTake) external override {
require(msg.sender == quantammAdmin, "ONLYADMIN");
@@ -141,10 +142,10 @@ contract UpdateWeightRunner is Ownable2Step, IUpdateWeightRunner {
function setQuantAMMUpliftFeeTake(uint256 _quantAMMUpliftFeeTake) external{
require(msg.sender == quantammAdmin, "ONLYADMIN");
require(_quantAMMUpliftFeeTake <= 1e18, "Uplift fee must be less than 100%");
- uint256 oldSwapFee = quantAMMSwapFeeTake;
- quantAMMSwapFeeTake = _quantAMMUpliftFeeTake;
+ uint256 oldUpliftFee = quantAMMUpliftFeeTake;
+ quantAMMUpliftFeeTake = _quantAMMUpliftFeeTake;
- emit UpliftFeeTakeSet(oldSwapFee, _quantAMMUpliftFeeTake);
+ emit UpliftFeeTakeSet(oldUpliftFee, _quantAMMUpliftFeeTake);
function getQuantAMMUpliftFeeTake() external view returns (uint256){
- return quantAMMSwapFeeTake;
+ return quantAMMUpliftFeeTake;
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_quantAMMSwapFeeTake==quantAMMUplfitFeeTake

Likelyhood: High, calling setters or getters Impact: Low/Medium, both getters return `quantAMMSwapFeeTake` and `setQuantAMMUpliftFeeTake` modify `quantAMMUplfitFeeTake`. Real impact: those 2 values will be always the same.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!