Malicious User Can Bypass Uplift Fee in `UpliftOnlyExample.sol`
Summary
The UpliftOnlyExample.sol contract applies an uplift fee only when a user profits from liquidity. However, malicious users can bypass this fee by transferring their lpNFT to their own address, resetting the price to the current BPT price. By doing so, they avoid paying the uplift fee, even after gaining a profit.
Vulnerability Details
The afterUpdate() function is triggered when an lpNFT is transferred. This function resets the base price of the associated lpNFT to the current BPT price. A malicious user can:
Transfer their lpNFT to another wallet, causing the afterUpdate() function to set the profit baseline to the current price.
Remove liquidity from the new wallet without incurring any uplift fee, as the calculated profit becomes zero.
Impact
Loss of revenue for the protocol
Less fee for the malicious user
Tools Used
Manual Review
Recommendations
Apply the uplift fee during lpNFT transfers
Lead Judging Commences
finding_afterUpdate_bypass_fee_collection_updating_the_deposited_value
Likelihood: High, any transfer will trigger the bug. Impact: High, will update lpTokenDepositValue to the new current value without taking fees on profit.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.