QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: medium

Valid

Critical Mismanagement of `quantAMMSwapFeeTake` Variables in `setQuantAMMUpliftFeeTake` and `getQuantAMMUpliftFeeTake` Leading to State Inconsistencies and Potential Financial Losses

eta

Summary

The setQuantAMMUpliftFeeTake function of the UpdateWeightRunner.sol contract incorrectly updates the quantAMMSwapFeeTake state variable instead of maintaining an independent quantAMMUpliftFeeTake variable. And the getQuantAMMUpliftFeeTake function returns the quantAMMSwapFeeTake state variable instead of quantAMMUpliftFeeTake variable. These result in state inconsistencies, mismanagement of fees, and inaccurate event logging, financial losses and protocol misbehavior.

Vulnerability Details

In the UpdateWeightRunner.sol contract, the setQuantAMMUpliftFeeTake function updates the quantAMMSwapFeeTake variable instead of maintaining a dedicated quantAMMUpliftFeeTake variable. And the getQuantAMMUpliftFeeTake function returns the quantAMMSwapFeeTake state variable instead of quantAMMUpliftFeeTake variable. Changing the swap fee variable while attempting to modify the uplift fee creates confusion and misalignment in fee configurations. The UpliftFeeTakeSet event logs the old value of quantAMMSwapFeeTake instead of the correct quantAMMUpliftFeeTake.

Additionally, the setQuantAMMSwapFeeTake and getQuantAMMSwapFeeTake functions already handle setting and retrieving the SwapFee, so there is no need for setQuantAMMUpliftFeeTake and getQuantAMMUpliftFeeTake to manage the same SwapFee.

pkg/pool-quantamm/contracts/UpdateWeightRunner.sol:setQuantAMMUpliftFeeTake:#L141-148

/// @notice Set the quantAMM uplift fee % amount allocated to the protocol for running costs

/// @param _quantAMMUpliftFeeTake The new uplift fee % amount allocated to the protocol for running costs

function setQuantAMMUpliftFeeTake(uint256 _quantAMMUpliftFeeTake) external{

require(msg.sender == quantammAdmin, "ONLYADMIN");

require(_quantAMMUpliftFeeTake <= 1e18, "Uplift fee must be less than 100%");

uint256 oldSwapFee = quantAMMSwapFeeTake;

quantAMMSwapFeeTake = _quantAMMUpliftFeeTake;

emit UpliftFeeTakeSet(oldSwapFee, _quantAMMUpliftFeeTake);

// @audit The functions updates the `quantAMMSwapFeeTake` variable instead of maintaining a dedicated `quantAMMUpliftFeeTake` variable.

}

pkg/pool-quantamm/contracts/UpdateWeightRunner.sol:getQuantAMMUpliftFeeTake#L151-L153

/// @notice Get the quantAMM uplift fee % amount allocated to the protocol for running costs

function getQuantAMMUpliftFeeTake() external view returns (uint256){

return quantAMMSwapFeeTake;

}

// @audit The function returns the `quantAMMSwapFeeTake` state variable instead of `quantAMMUpliftFeeTake` variable.

Impact

Fee Mismanagement: Misconfigured fees can result in incorrect fee charges, reducing protocol income and causing potential financial losses for users.
Operational Confusion: Mixing swap fees with uplift fees introduces significant operational complexity, making it difficult to track and audit fee structures.
Event Misrepresentation: Incorrect event data undermines transparency and trust, as external systems relying on event logs (e.g., analytics tools) receive inaccurate information.

Tools Used

Manual Review

Recommendations

It is recommended to add a separate state variable for quantAMMUpliftFeeTake to ensure clear differentiation between swap fees and uplift fees and update the function to modify the correct variable and log the correct event.

+ uint256 public quantAMMUpliftFeeTake = 0.5e18; // Initial value

function setQuantAMMUpliftFeeTake(uint256 _quantAMMUpliftFeeTake) external {

require(msg.sender == quantammAdmin, "ONLYADMIN");

require(_quantAMMUpliftFeeTake <= 1e18, "Uplift fee must be less than 100%");

+ uint256 oldUpliftFee = quantAMMUpliftFeeTake; // Correct variable

+ quantAMMUpliftFeeTake = _quantAMMUpliftFeeTake;

+ emit UpliftFeeTakeSet(oldUpliftFee, _quantAMMUpliftFeeTake);

}

function getQuantAMMUpliftFeeTake() external view returns (uint256) {

+ return quantAMMUpliftFeeTake;

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_quantAMMSwapFeeTake==quantAMMUplfitFeeTake

Likelyhood: High, calling setters or getters Impact: Low/Medium, both getters return `quantAMMSwapFeeTake` and `setQuantAMMUpliftFeeTake` modify `quantAMMUplfitFeeTake`. Real impact: those 2 values will be always the same.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!