Reentrancy Vulnerability in `removeLiquidityProportional`
Summary
Reentrancy Vulnerability in removeLiquidityProportional
Vulnerability Details
The removeLiquidityProportional function calls _removeLiquidityProportional without a nonReentrant guard. While saveSender is used, this isn't sufficient protection against a reentrancy attack within _removeLiquidityProportional, particularly if _removeLiquidityProportional involves external calls or further state updates. The function's fee calculation within a loop also compounds the risk. The potential for an attacker to manipulate internal state (fee conditions) before funds are transferred presents a significant risk.
Exploitation Path: A malicious contract can call removeLiquidityProportional, then call back into UpliftOnlyExample (directly, or indirectly through _removeLiquidityProportional) before the funds are transferred, potentially stealing the intended withdrawal amount.
https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol
Tools Used
vscode
Recommendations
Enforce a nonReentrant modifier within the removeLiquidityProportional function itself. Further, ensure all relevant internal operations (including those made in _removeLiquidityProportional ) are protected against re-entry, with comprehensive checks of all external function calls.
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.