QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: high

Valid

Some fees are sent to the incorrect address

ryonen

Summary

UpliftOnlyExample::onAfterSwap is responsible for calculating fees during swaps by deducting a portion of the tokens received from the vault and sending the remainder to the user.

The portion allocated to fees is divided into quantAMMFeeTake and ownerFee, but ownerFee can lead to issues.

Vulnerability Details

https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol#L343

This specific fee is sent as a token to the router's address, which is problematic because there is no function to extract those tokens from the contract, leaving them permanently trapped.

Impact

Loss of value intended for the owner.
It's worth noting that replacing the address designated for the owner could cause issues in some variants. If the contract ownership is renounced, sending tokens to the zero address could result in reverts.

Tools Used

Manual Review

Recommendations

Store a specific address in the contract's storage to receive the router fees.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_ownerFee_cannot_be_withdrawn

Likelihood: High, every swap. Impact: High, funds are stuck.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!