QuantAMM

Summary

The UpliftOnlyExample hook/router manages user liquidity deposits, mints NFTs and handles BPT tokens on their behalf. However, unlike the standard Balancer V3 router, it lacks a removeLiquidityRecovery function. This omission poses a significant risk to user funds in case of an unexpected situation or emergency, as users are unable to withdraw their liquidity safely through the recovery mechanism.

Vulnerability Details

• The UpliftOnlyExample hook/router does not implement a function analogous to removeLiquidityRecovery present in Balancer V3's standard router. This function is critical for enabling liquidity removal during Recovery Mode.

• All user BPT tokens are handled and managed by the UpliftOnlyExample contract. In an emergency scenario, such as a pool exploit or unexpected behavior in the hook/router or vault, users cannot access or withdraw their liquidity directly.

Impact

• In case of an exploit, bug or unexpected behavior, user BPT tokens managed by the UpliftOnlyExample hook/router could become vulnerable as they cannot remove liquidity safely using removeLiquidityProportional, leading to potential loss of funds.

• Users cannot leverage Balancer's Recovery Mode to proportionally withdraw their funds safely, defeating the purpose of a fail-safe mechanism provided by the protocol.

Tools Used

• Manual Code Review

• Balancer V3 Router Documentation

Recommendations

Add a function similar to Balancer V3's removeLiquidityRecovery to allow safe and proportional liquidity withdrawal during Recovery Mode. Ensure the UpliftOnlyExample hook/router fully supports Balancer’s Recovery Mode, allowing users to withdraw funds even during emergencies.