QuantAMM

Summary

[https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol#](https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol#L471

Vulnerability Details

In the onAfterRemoveLiquidity() function, there is a code snippet written as follows:

In Solidity 0.8 and above, when a uint256 value decrements below 0, it triggers an underflow, causing the contract to revert. This introduces a Denial of Service (DoS) risk. For example, if feeDataArrayLength == 1, during the first iteration of the loop, i would be 0. Decrementing i (--i) would then result in an underflow, causing the contract to revert. This means users would be unable to withdraw liquidity or execute related logic.

This issue could be maliciously exploited in the following ways:
Exploitation Method: If an attacker can manipulate the contract into a state where there is only one or very few FeeData records, requiring reverse iteration, they could effectively block legitimate users from successfully calling the function. This could lead to a partial or complete contract “freeze.”

Impact

Users would be unable to withdraw liquidity, and project teams might need to urgently upgrade or apply special handling to resolve the issue. This would cause severe usability problems.

While this does not fall under the category of “fund theft” attacks, it constitutes a critical denial-of-service attack. On the mainnet, if contract logic contains similar flaws, the contract could become frozen in certain scenarios, preventing the execution of critical operations. This would result in significant financial losses and reputational damage.

Tools Used

Recommendations

To safely perform reverse iteration, it is recommended to use the following pattern:

This ensures that no underflow occurs, thereby mitigating the risk of such DoS vulnerabilities.