UpliftOnlyExample.removeLiquidityProportional is vulnerable to a DoS attack
Summary
The removeLiquidityProportional function is responsible for burning different NFTs belonging to the caller in exchange for receiving tokens managed by a QuantAMMPool, always burning the last minted/received NFT first.
Vulnerability Details
The issue arises because it is possible to send multiple NFTs with negligible share amounts, aiming to hinder the victim's call and create a transaction so large that it cannot be executed within the block size limit, thereby achieving a DoS.
It is worth noting that the NFT limit is only enforced when the user tries to mint them, but not when they are received via a transaction.
Impact
DoS for users attempting to exit the protocol.
May not even be able to transfer their NFTs to other addresses.
Tools Used
Manual Review
Recommendations
Ensure that the protocol cannot receive additional NFTs if the limit has already been reached.
Lead Judging Commences
finding_afterUpdate_does_not_check_limit_NFT_per_user
Likelihood: Medium/High, anyone can receive an unlimited NFT number but will cost creation of LP tokens and sending them. Impact: Low/Medium, DoS the afterUpdate and addLiquidityProportional but will be mitigable on-chain because a lot of those NFT can be burn easily in onAfterRemoveLiquidity.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.