QuantAMM

Summary

Users are charged too much exitFee in UpliftOnlyExample::onAfterRemoveLiquidity when localData.lpTokenDepositValueChange > 0 and can cause underflow error if lpTokenDepositValueChange increase too much.

Vulnerability Details

• In UpliftOnlyExample::onAfterRemoveLiquidity, whenever user remove their liquidity, they will be charged an exitFee based on feePerLP.

• And the feePerLP is calculated based on lpTokenDepositValueChange. UpliftOnlyExample.sol#L480-L484

• While the idea of charging feePerLP based on how much increase of deposit tokens value is a fair idea. But the implementation of the above code has a problem:

  • The feePerLP will increases proportionally with the lpTokenDepositValueChange. Developers may forget that even if feePerLP is a fixed percentage, the exitFee tokens value still increases proportionally with the lpTokenDepositValueChange.

• So, the value of exitFee will increase exponentially due to:

  1. The value of the tokens increases.

  2. The amount of fee tokens increases.

Impact

• Users will be charged too much exitFee if lpTokenDepositValueChange > 0.

• And in a worse scenario, user can not withdraw their liquidity when localData.lpTokenDepositValueChange > (10000 / upliftFeeBps). Leading to feePerLP > 1e18, the amount of exitFee exceed hookAdjustedAmountsOutRaw and cause underflow error with this line of code:

PoC

• If upliftFeeBps = 200, lpTokenDepositValueChange rise to 51 (price increase 52 times). User can not call removeLiquidityProportional function.

• Place this test in UpliftExample.t.sol

• Then in /2024-12-quantamm/pkg/pool-hooks run forge test --mt test_tooMuch_exitFee_userCanNotWithdraw -vvvv. Look into the terminal, the removeLiquidityProportional transaction will revert with [Revert] panic: arithmetic underflow or overflow (0x11) error.

Tools Used

• Manual review.

• Foundry

Recommendations

When calculating feePerLP:

• Do not multifly upliftFeeBps with lpTokenDepositValueChange.

• Or, have a maxWithdrawalFeeBps variable.