QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Limit of 101 deposits per account can still lead to OOG in UpliftOnlyExample

brgltd

Summary

The limit of 101 deposits per user can still lead to OOG due to multiple storage reads and writes inside the pool data array.

Vulnerability Details

QuantAMM will use a limit of 101 deposits in UpliftOnlyExample (user can deposit from index 0 to 100).

https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol#L226

If we run a POC with the gas limit before and removing liquidity in a case where the array if at max capacity (by making 101 deposits with 1e18 and removing in one TX with 101e18) we can see it will consume ~1.3M gas.

Path: pkg/pool-hooks/test/foundry/UpliftExample.t.sol

function testOOG() public {
uint256[] memory maxAmountsIn = [dai.balanceOf(bob), usdc.balanceOf(bob)].toMemoryArray();
vm.startPrank(bob);
for (uint256 i = 0; i <= 100; ++i) {
upliftOnlyRouter.addLiquidityProportional(pool, maxAmountsIn, 1e18, false, bytes(""));
}
vm.stopPrank();
int256[] memory prices = new int256[]();
for (uint256 i = 0; i < tokens.length; ++i) {
prices[i] = int256(i) * 2e18;
}
updateWeightRunner.setMockPrices(pool, prices);
uint256 nftTokenId = 0;
uint256[] memory minAmountsOut = [uint256(0), uint256(0)].toMemoryArray();
BaseVaultTest.Balances memory balancesBefore = getBalances(bob);
vm.startPrank(bob);
// Measure gas consumed.
uint256 gasStart = gasleft();
upliftOnlyRouter.removeLiquidityProportional(101e18, minAmountsOut, false, pool);
uint256 gasUsed = gasStart - gasleft();
console.log("gasUsed", gasUsed); // 1.2M
vm.stopPrank();
}

Block limit on the ethereum mainnet (as of january 2025) is 30M.

However, specially during times of congestion it will be unlikely to get a TX with 1.7M gas through, specially when using a wallet.

Impact

Active traders using the protocol via a wallet can experience failing transactions when trying to withdraw liquidity.

Similar issues can take place on LP token transfers.

Tools Used

Manual review. Forge.

Recommendations

Decrease the deposit limit to 50 transactions, which should leave more room to avoid OOG.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.