Summary

The onAfterSwap function contains a vulnerability that causes overcharging of QuantAMM Admin fees due to precision loss in the calculation:

This issue arises from integer truncation during division, which results in inflated fee amounts when quantAMMFeeTake is a fractional value, such as 0.6e18. As a result, the protocol charges higher fees than intended..

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol#L331-L340

Vulnerability Details

1. Problematic Formula:

   uint256 adminFee = hookFee / (1e18 / quantAMMFeeTake);

   • The division 1e18 / quantAMMFeeTake results in integer truncation, discarding fractional parts.

   • For example, when quantAMMFeeTake = 0.6e18, the result of 1e18 / quantAMMFeeTake is truncated to 1 instead of the correct 1.666....

2. Incorrect Fee Calculation:

   • Using the truncated value as the denominator causes the adminFee to be overcharged.

   • In this example, the adminFee is calculated as 1e18 wei instead of the intended 0.6e18 wei.

3. Code Example:

   Parameters:

   • hookFee = 1e18.

   • quantAMMFeeTake = 0.6e18.

   Current Logic:

   uint256 adminFee = hookFee / (1e18 / quantAMMFeeTake);

   • Calculate 1e18 / quantAMMFeeTake:
     1e18 / 0.6e18 = 1.666... -> truncated to 1.

   • Compute adminFee:
     adminFee = 1e18 / 1 = 1e18.

   Mitigation Logic:

   uint256 adminFee = hookFee * quantAMMFeeTake / 1e18;

   • Calculate hookFee * quantAMMFeeTake:
     1e18 * 0.6e18 = 0.6e36.

   • Divide by 1e18:
     adminFee = 0.6e36 / 1e18 = 0.6e18

Impact

Overcharging of Fees

Tools Used

Recommendations

Replace the problematic formula with a precision-preserving calculation: