QuantAMM

Summary

When transferring LP NFTs between addresses, the lpTokenDepositValue is reset, allowing users to bypass uplift fees by transferring NFTs to another address they control.

Vulnerability Details

In the afterUpdate() function, when an LP NFT is transferred between addresses, the deposit value is updated to the current pool value and the timestamp is reset.

This effectively eliminates any accrued uplift that would have resulted in higher withdrawal fees because when the LP removes liquidity onAfterRemoveLiquidity is called and from there the value of fee is directly proportional to the lp token deposit value change;

Now from the observation of the code above, it can be seen that when an LP transfers an LPNFT and also removes liquidity by calling removeLiquidityProportional in the same transaction, the values of localData.lpTokenDepositValueNow and localData.lpTokenDepositValue will be exactly equal thus making the localData.lpTokenDepositValueChange to be ZERO or almost zero (if transactions have been done in different neighboring blocks), thus the LP will only pay minWithdrawalFeeBps without accounting for the LP token value deposit change.

PoC

1. Alice deposits 10 ETH into the pool when ETH price is $2000, receiving an LP NFT

2. ETH price increases to $3000 (+50% uplift)

3. Instead of withdrawing and paying uplift fees, Alice transfers her LP NFT to her other address Bob

4. The transfer resets the deposit value to current $3000 price

5. Bob can now withdraw immediately with only minimum withdrawal fee, bypassing a significant percentage of the uplift fee

Impact

This allows LPs to bypass the uplift fee mechanism which is core to the protocol's economic model. Any LP can pay less uplift fees by transferring positions between controlled addresses.

Tools Used

Manual Review

Recommendations

When transferring LP NFTs, maintain the original deposit timestamp and value rather than resetting them. Remove these lines from afterUpdate():