In the UpliftOnlyExample contract, the onAfterRemoveLiquidity() function serves as a hook called by the Vault during liquidity removal to enable the implementation of custom logic for a specific pool. In this case, it handles the uplift logic. A key aspect of this logic is determining whether the pool's value has changed in the period between the liquidity addition and its removal. The problem is that this calculation is not implemented correctly, which compromises the entire logic and leads to a loss of funds due to fees.
From the code, it can be seen that the new value is subtracted by the old value, and the result is divided by the old value to determine the percentage change. The problem is that the numerator is not multiplied by 1e18 beforehand, which leads to rounding down to 0 in cases where the numerator is smaller than the denominator. For example, if the old value is 10e18 and the value increases by 20%, the new value would be 12e18. In this case, (12e18 - 10e18) / 10e18 = 0 in Solidity. The smallest increase that would result in a non-zero value is a 2x increase.
Wrong fee calculation and loss of funds from fees.
Manual review
Multiply the numerator by 1e18 to fix the rounding down to 0.
Likelihood: High, every call to the function (withdraw) Impact: Low/Medium, uplift fees will be applied only when the price of one asset is doubled but fixed fees will still be collected.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.