Deposit are done in FILO not FIFO
Summary
The UpliftOnlyExample contract implements LIFO (Last In First Out) withdrawal order instead of the intended FIFO (First In First Out) design (specified in QuantAMM team example audit objective doc), forcing users to withdraw their most recent deposits first.
Vulnerability Details
The onAfterRemoveLiquidity function processes withdrawals starting from the most recent deposit by iterating from the end of the array:
This contradicts the documented FIFO design and prevents users from accessing their earlier deposits that may have more favorable fee conditions until all later deposits are withdrawn first.
Impact
Users cannot selectively withdraw older deposits with potentially lower fees
Active LPs are forced to withdraw recent deposits first even if they prefer to maintain those positions
Tools Used
Manual review
Recommendations
1- Modify the withdrawal loop to process deposits in FIFO order:
2- Update the data structure to maintain FIFO order during deposits and withdrawals
3- Alternatively, if LIFO is actually intended, update the documentation to accurately reflect the implementation
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.