QuantAMM

Summary

In UpliftOnlyExample::onAfterSwaphookFee is calculated based on hookSwapFeePercentage, which can be set by the pool owner (not a trusted role). It is applied to all swap operations. While the fee must fall within the bounds of _MIN_SWAP_FEE_PERCENTAGE (0.1%) and _MAX_SWAP_FEE_PERCENTAGE (10%), there is a potential risk of unexpected user losses if the fee is altered between the initiation and completion of a swap transaction.

Vulnerability Details

The function setHookSwapFeePercentage allows the pool owner to modify the swap fee:

If a user initiates a swap expecting a specific fee (e.g., 0.5%), but the pool owner updates the fee to a much higher value (e.g., 10%) before the swap is finalized, the user may incur significantly higher costs than anticipated.

Impact

1. Financial Loss: Swaps executed with significantly higher fees than expected could result in unanticipated financial loss for users.

2. Potential Exploitation: A malicious pool owner could exploit this flexibility to extract undue profits by setting the maximum allowable fee (10%) after observing a large incoming transaction.

PoC

Prerequisites:

• Assume a liquidity pool (Pool) with an initial swap fee set to a low value, e.g., 0.5%.

• User Alice plans to execute a large swap, unaware of any malicious behavior.

• The pool owner has the ability to change the fee using the setHookSwapFeePercentage function.

• The pool owner monitor the mempool for incoming transactions, looking for large swaps targeting the pool.

• Upon detecting a large swap transaction from Alice, the pool owner executes a transaction just before Alice's transaction that sets the fee to 10% using the setHookSwapFeePercentage function.

Scenario:

• Step 1: User Alice sends a transaction to swap a large amount of TokenA for TokenB.

• Step 2: Malicious pool owner quickly sends a transaction to call setHookSwapFeePercentage(10%).

• Step 3: Alice’s transaction is executed with the updated fee of 10%, resulting in unexpected losses due to excessive fees.

Tools Used

Manual review

Recommendations

We have two suggestions:

1. Fee Locking: Introduce a mechanism to lock the hookSwapFeePercentage for a defined period after it is updated. For example, a 24-hour delay before the new fee becomes effective.

2. Slippage Protection:
   Encourage users to configure slippage protection in their swaps. By setting a maximum allowable slippage (e.g., 0.5%), transactions will revert if the effective fee increases beyond expectations due to rapid changes in the swap fee percentage.