QuantAMM

Summary

The LPNFT contract contains a potential reentrancy vulnerability in the _update function. This function interacts with an external router contract by calling router.afterUpdate. Since afterUpdate is an external function, a malicious router implementation could re-enter the LPNFT contract, leading to unexpected or harmful behavior such as unauthorized state changes or token manipulation.

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-hooks/contracts/hooks-quantamm/LPNFT.sol#L49

Vulnerability Details

Vulnerable Function:
_update(address to, uint256 tokenId, address auth)

The _update function allows reentrancy because it makes an external call (router.afterUpdate) before completing its execution. If the router.afterUpdate function is malicious or misconfigured, it can re-enter the LPNFT contract, potentially calling other state-modifying functions (e.g., mint, burn, or transfer operations), leading to state inconsistencies or token theft.

Impact

The attacker could steal or manipulate NFTs through unauthorized reentrancy.

Reentrancy could lead to inconsistencies in the state of the LPNFT contract or the associated router.

Tools Used

Manual Code : The vulnerability was identified through a detailed analysis of the _update function's logic and its external call to router.afterUpdate

Recommendations

Use ReentrancyGuard to add the nonReentrant modifier to _update.

contract LPNFT is ERC721, ReentrancyGuard {
...
function _update(address to, uint256 tokenId, address auth)
internal
override
nonReentrant
returns (address previousOwner)

}

Perform external calls at the end of the function after updating internal state to ensure the contract is in a consistent state before any potential reentrancy occurs.