QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

User can withdraw more than his BPT balance

huntoor

Summary

The current FIFO withdrawal implementation in UpliftOnlyExample opens attack paths to drain the contract of BPT tokens completely

Vulnerability Details

1- Current Implementation (Safe):

for (uint256 i = localData.feeDataArrayLength - 1; i >= 0; --i) {
// Process withdrawals
if (localData.amountLeft == 0) break;
// ... withdrawal logic
}

  • Naturally reverts on underflow if amountLeft > 0 when i reaches 0

  • Built-in protection against withdrawing more than owned

The problem is that its not the intended design to have FILO, so we assumed that the loop actually runs in FIFO and there is no issue with the implementation

2- FIFO (Intended design):

for (uint256 i = 0; i < localData.feeDataArrayLength; i++) {
// Process withdrawals
if (localData.amountLeft == 0) break;
// ... withdrawal logic
}

  • Loop completes even if amountLeft > 0

  • No natural revert mechanism

  • Allows withdrawing more than owned balance

Impact

Draining of BPT tokens from UpliftOnlyExample

Recommendation

add explicit balance validation:

require(bptAmountIn <= userBalance, "Insufficient BPT balance");
for (uint256 i = 0; i < localData.feeDataArrayLength; i++) {
// Process withdrawals
}
require(localData.amountLeft == 0, "Invalid withdrawal amount");
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!