QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: high
Valid

Lack of Withdrawal Functionality for Collected Swap Fees in `UpliftOnlyExample` contract, Causing Fund Lock

0xpep7

Summary

The finding identified a vulnerability where the smart contract UpliftOnlyExample lacks the necessary functionality to withdraw swap fees, potentially leading to locked funds.

Vulnerability Details

Below snippet shows that the contract receives a portion of swap fees ownerFee in ERC20 token feeToken but lacks a mechanism to withdraw these funds.

  • Found in pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol at Line 343

293: function onAfterSwap(
...
342: if (ownerFee > 0) {
343: => _vault.sendTo(feeToken, address(this), ownerFee); // receives feeToken on every swap
344: emit SwapHookFeeCharged(address(this), feeToken, ownerFee);

Impact

The inability to withdraw the collected swap fees can lead to significant financial losses as the funds remain inaccessible.

Tools Used

Manual Review

Recommendations

Implement a withdrawal function that allows the owner to retrieve accumulated swap fees, ensuring funds are not locked in the contract.

function withdrawFees(IERC20 feeToken) external {
uint256 feeAmount = feeToken.balanceOf(address(this));
if (feeAmount > 0) {
feeToken.safeTransfer(owner(), feeAmount);
emit HookFeeWithdrawn(address(this), feeToken, owner(), feeAmount);
}
}
Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_ownerFee_cannot_be_withdrawn

Likelihood: High, every swap. Impact: High, funds are stuck.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!