QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: high
Valid

`QuantAMMAdmin` can never withdraw fees due to callback

0xacnologiac

Summary

Fees are accrued to the Admin address, however they can never be withdrawn.

Vulnerability Details

During withdrawals and swaps, fees are accrued to the QuantAMMAdmin, however these fees can never be withdrawn.
On the UpLift contract, there is no withdraw method as they cannot be withdrawn using the removeLiquidityProportional() since poolsFeeData[] is never updated for them, and have no LPNFT.
During liquidity removal, _vault.addLiquidity() is called which adds liquidity on behalf of the admin address, however if the admin tries to remove liquidity directly from the contract, the hookcontract of the pool which is the UpliftContract is called. ANd when the onAfterRemoveLiquidity() is called, it will revert for the admin.

localData.lpTokenDepositValueNow = getPoolLPTokenValue(localData.prices, pool, MULDIRECTION.MULDOWN);
FeeData[] storage feeDataArray = poolsFeeData[pool][userAddress];
localData.feeDataArrayLength = feeDataArray.length;
localData.amountLeft = bptAmountIn;
for (uint256 i = localData.feeDataArrayLength - 1; i >= 0; --i) {
localData.lpTokenDepositValue = feeDataArray[i].lpTokenDepositValue;

Impact

Fees accrued for the protocol can never be withdrawn

Tools Used

NA

Recommended Mitigation

Check is userAddress == QuantAMMAdmin in onAfterRemoveLiquidity(), skip all fee calculation and deductions to enable smooth withdrawals.
Alternatively, run a full deposit for the admin

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_Uplift_admin_cannot_withdraw_without_nft

Likelihood: High, won’t be able to withdraw. Impact: High, funds stuck.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!