Liquidity Providers can skip paying the fees by transferring their LPNFT.
Summary
An LP can game the system to pay lower fees than they are supposed to, using the transfer functionality.
Vulnerability Details
Fees in the contracts are determined by the change in the lpTokenDepositValue from the deposit time to the withdraw time now. The change in that fee is multiplied by the depositAmount.
However, using the transfer feature, the lpTokenDepositValue is simply updated to the lastest lpTokenDepositValue, thereby wiping off any accrued debt/expected fees.
Although written in the comments that transferring is costly, users with single digit feeDataArray elements behind the position they are transferring will not incure significant costs in rewriting of the arrays.
Therefore a user can simply transfer the NFT to a separate address and remove Liquidity with that address within the same timeframe. And even if their position has gone 10,000% they wouldn't be charged more than the minWithdrawalFeeBps
Impact
Undercut fee system in the Liquidity removal process such that only the
minWithdrawalFeeBpsis ever paid, no matter the gains.This affects the fees being deposited accrued for other LPs as well as the QuantAMM protocol fees and revenue.
Tools Used
Manual Review
Recommended Mitigation
Deduct partial or full fees before overwriting the feeDataArray[tokenIdIndex].lpTokenDepositValue
Lead Judging Commences
finding_afterUpdate_bypass_fee_collection_updating_the_deposited_value
Likelihood: High, any transfer will trigger the bug. Impact: High, will update lpTokenDepositValue to the new current value without taking fees on profit.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.