`minWithdrawalFeeBps` is not needed and causes user inconvenience
Summary
The UpliftOnlyExample contract implements an unnecessary minWithdrawalFeeBps that provides no additional security while negatively impacting user economics when withdrawing non-uplifted positions and positions on loss.
Vulnerability Details
The contract implements minWithdrawalFeeBps as a security measure:
However, this is redundant because:
-
MEV attacks attempting to extract value from swap fees would trigger uplift fees since their value increased, making
minWithdrawalFeeBpsirrelevant -
Share price manipulation through
getPoolLPTokenValueis prevented by design:
The pool only allows proportional liquidity additions through the hook, meaning any attempt to manipulate reserves would equally affect both numerator (balances) and denominator (total supply), neutralizing the attack vector.
Impact
While this doesn't create direct security vulnerabilities, it:
Unnecessarily charges fees to users withdrawing without uplift and also for users that had their deposit value decrease due to strategy performance
Tools Used
Manual review
Recommendations
-
Remove
minWithdrawalFeeBpsentirely since the protocol design already provides security against:MEV attacks (through uplift fees)
Share price manipulation (through proportional deposits)
Reserve manipulation (through hook-controlled liquidity)
-
Allow zero-fee withdrawals when no uplift has occurred to improve user experience in down markets
-
Focus fee structure purely on capturing value from successful uplifts rather than maintaining unnecessary minimum fees
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.