QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

NFT can be minted with zero amount

TheKhans

Summary

A user can mint NFTs without adding liquidity to the pool. This enables a griefer attack, allowing the user to mint all NFTs up to the 100-limit without contributing any value to the protocol.

Vulnerability Details

While users are required to add liquidity to mint an NFT, the code does not validate against a 0 amount. This oversight allows users to mint NFTs without contributing any liquidity.

/contracts/hooks-quantamm/UpliftOnlyExample.sol:220
220: function addLiquidityProportional(
221: address pool,
222: uint256[] memory maxAmountsIn,
223: uint256 exactBptAmountOut,
224: bool wethIsEth,
225: bytes memory userData
226: ) external payable saveSender(msg.sender) returns (uint256[] memory amountsIn) {
228: if (poolsFeeData[pool][msg.sender].length > 100) {
229: revert TooManyDeposits(pool, msg.sender);
230: }
231: // Do addLiquidity operation - BPT is minted to this contract.
232: amountsIn = _addLiquidityProportional(
233: pool,
234: msg.sender,
235: address(this),
236: maxAmountsIn,
237: exactBptAmountOut,
238: wethIsEth,
239: userData
240: );
241:

As seen in the code, there is no validation to prevent minting NFTs with a 0 amount. This creates a vulnerability where an attacker can mint all NFTs by simply switching accounts after every 100 mints.

Since transaction costs on Layer 2 networks like Base, Arbitrum, and Optimism are relatively low, this exploit is economically feasible. If exploited, no further liquidity can be added to the weightedPool via the router.

POC

function testZeroValueNftMint() external {
uint256[] memory maxAmountsIn = [uint256(0), uint256(0)].toMemoryArray();
uint256 bptAmountDeposit = 0;
vm.prank(bob);
upliftOnlyRouter.addLiquidityProportional(pool, maxAmountsIn, bptAmountDeposit, false, bytes(""));
LPNFT lpNft = upliftOnlyRouter.lpNFT();
assertEq(lpNft.balanceOf(bob),1);
}

Impact

  1. DoS the UpliftRouter: Prevent additional liquidity from being added to the weightedPool.

  2. Damage Reputation: Minted NFTs with zero amount will degrade the credibility and reputation of the weightedPool's NFTs.

Tools Used

Manual Review , Unit Testing

Recommendations

Incorporate a revert statement in the minting logic. This ensures any attempt to mint with a 0 deposit is rejected.

diff --git a/pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol b/pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol
index c13cf7c..29a04df 100644
--- a/pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol
+++ b/pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol
@@ -188,6 +188,8 @@ contract UpliftOnlyExample is MinimalRouter, BaseHooks, Ownable {
*/
error TransferUpdateTokenIDInvaid(address from, address to, uint256 tokenId);
+ error ZeroAmountProvided(uint256 amount);
+
modifier onlySelfRouter(address router) {
_ensureSelfRouter(router);
_;
@@ -224,6 +226,9 @@ contract UpliftOnlyExample is MinimalRouter, BaseHooks, Ownable {
bool wethIsEth,
bytes memory userData
) external payable saveSender(msg.sender) returns (uint256[] memory amountsIn) {
+ if(exactBptAmountOut == 0){
+ revert ZeroAmountProvided(exactBptAmountOut);
+ }
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!