`minWithdrawalFeeBps` are not added to `upliftFeeBps` causing loss of fees and allowing MEV actions
Summary
Note!: This bug assumes that
upliftFeeBpsis applied in the upLifted value only as intended in the whitePaper and assumes the rounding down to 0 oflpTokenDepositValueChangeis solved
The UpliftOnlyExample contract's uplift fee calculation can result in fees lower than the intended minimum when small uplifts occur, potentially enabling MEV attacks that were meant to be prevented by minWithdrawalFeeBps.
Vulnerability Details
Current implementation uses an if/else block that chooses between fees types during liquidity removal:
When calculating fees for uplifted positions:
Example scenario:
minWithdrawalFeeBps= 0.5% (50 bps)upliftFeeBps= 50% (5000 bps)MEV deposits 100e18
Gets 1% uplift (1e18)
Fee calculation: 1e18 * 50% = 5e17 (0.05% of total deposit)
Actual fee (0.05%) <
minWithdrawalFeeBps(0.5%)
This creates a gap where MEV can extract value while paying less than the intended minimum fee.
Impact
The vulnerability enables:
MEV attacks with fees below intended minimum (for example, just in time liquidity for large swaps and feeless swaps attacks, etc)
Potential value extraction through rapid deposit/withdraw cycles attacks
Tools Used
Manual review
Recommendations
add the minWithdrawalFeeBps to the upliftFeeBps
Lead Judging Commences
finding_upliftFeeBps_can_be_less_than_minWithdrawalFeeBps
Likelihood: Low, only on very low variation of the price. Impact: Low/Medium, few fees are not collected.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.