QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: medium

Valid

Both swap fee & uplift fee share the same storage variable leading to fees being overwritten & incorrect fee collection

0xtheblackpanther

Summary

The quantAMMUpliftFeeTake and quantAMMSwapFeeTake functions modify the same storage variable (quantAMMSwapFeeTake), causing fees to overwrite each other & leading to incorrect fee accounting.

Impact

Protocol fee accounting will be incorrect as uplift fees and swap fees overwrite each other, potentially leading to revenue loss or incorrect revenue distribution.
Both getter functions will return the same value despite representing different fee types.

PoC:

Add testSwapAndUpliftFeeBug test into pkg/pool-quantamm/test/foundry/UpdateWeightRunner.t.soland run it :)

function testSwapAndUpliftFeeBug() public {

// Initial fee states

uint256 initialSwapFee = updateWeightRunner.getQuantAMMSwapFeeTake();

vm.startPrank(owner);

// Set swap fee to 10%

updateWeightRunner.setQuantAMMSwapFeeTake(0.1e18);

assertEq(updateWeightRunner.getQuantAMMSwapFeeTake(), 0.1e18, "Swap fee should be 10%");

// Set uplift fee to 20% - this will overwrite swap fee storage

updateWeightRunner.setQuantAMMUpliftFeeTake(0.2e18);

// Both getters return 20% since they use same storage slot

assertEq(updateWeightRunner.getQuantAMMSwapFeeTake(), 0.2e18, "Swap fee incorrectly changed to 20%");

assertEq(updateWeightRunner.getQuantAMMUpliftFeeTake(), 0.2e18, "Both fees show same value");

// Set swap fee back to 5% - overwrites uplift fee

updateWeightRunner.setQuantAMMSwapFeeTake(0.05e18);

// Both return 5% showing they share storage

assertEq(updateWeightRunner.getQuantAMMSwapFeeTake(), 0.05e18, "Swap fee is 5%");

assertEq(updateWeightRunner.getQuantAMMUpliftFeeTake(), 0.05e18, "Uplift fee incorrectly changed to 5%");

vm.stopPrank();

}

Recommendation

Create separate storage variables for each fee type

// Create separate storage variables

uint256 public quantAMMSwapFeeTake = 0.5e18;

uint256 public quantAMMUpliftFeeTake = 0.5e18; // Add new variable

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_quantAMMSwapFeeTake==quantAMMUplfitFeeTake

Likelyhood: High, calling setters or getters Impact: Low/Medium, both getters return `quantAMMSwapFeeTake` and `setQuantAMMUpliftFeeTake` modify `quantAMMUplfitFeeTake`. Real impact: those 2 values will be always the same.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.