LPNFT can be used to rug users
Summary
The UpliftOnlyExample contract allows partial withdrawals of liquidity while an NFT is listed for sale on marketplaces, enabling a bait-and-switch attack where sellers can drain value before a sale completes.
Vulnerability Details
The issue exists because:
-
In
removeLiquidityProportional(), the contract doesn't check for any external NFT approvals -
The NFT ownership and actual liquidity value are decoupled - an NFT can represent partial liquidity after withdrawals.
Attack flow:
Attacker deposits 100K USD worth of liquidity, receiving an NFT
Lists NFT on OpenSea for 98K USD (appearing as a good deal)
When buyer attempts purchase, attacker frontruns by withdrawing most liquidity
Buyer receives an NFT worth much less than expected
Impact
Ruging users causing bad reputation for QuantAmm
Tools Used
Manual review
Recommendations
prevent withdrawals as long as external NFT approvals are set
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.