QuantAMM

Summary

A vulnerability was identified in the UpliftOnlyExample smart contract, where the lpTokenDepositValue is updated during an NFT pool position transfer without proper validation. The absence of checks on the lpTokenDepositValueNow can result in invalid or reverted pool calculations being stored. This could potentially disrupt future fee computations by introducing inaccurate data due to issues such as oracle malfunctions.

Vulnerability Details

In the UpliftOnlyExample contract when a user transfers their NFT representing their pool position, there is a critical issue with the rate validation when calculating the new fee data. The lpTokenDepositValue is updated to the current value but there is no check to validate if the pool calculation reverted or returned invalid values.

Impact

This could lead to bad data being stored if there are oracle issues, potentially impacting future fee calculations for that position since the rates at time of transfer are used as the new base for uplift calculations.

Tools Used

Manual Review

Recommendations

To mitigate this issue, validate lpTokenDepositValueNow before updating the feeDataArray to ensure it is a valid, non-zero value, and implement error handling in the getPoolLPTokenValue function to prevent the storage of invalid data. Introduce a fallback mechanism to use the last known valid value or pause updates if oracle data is unavailable or incorrect. Additionally, emit events to log invalid attempts for better debugging and monitoring. Finally, conduct comprehensive testing and auditing of the contract and its external dependencies to ensure robustness and resilience against edge cases and oracle anomalies.