QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: medium

Valid

Fee miscalculation bug in UpliftOnlyExample::onAfterRemoveLiquidity function

ragnarok

Summary

The formula used to calculate the value change of LP tokens in the UpliftOnlyExample::onAfterRemoveLiquidity function is incorrect, resulting in miscalculated fee amounts.

Vulnerability Details

In the UpliftOnlyExample::onAfterRemoveLiquidity function, the formula used for calculating the value change of LP token (localData.lpTokenDepositValueChange) is flawed:

UpliftOnlyExample::onAfterRemoveLiquidity function:

function onAfterRemoveLiquidity(...) public override onlySelfRouter(router) returns (bool, uint256[] memory hookAdjustedAmountsOutRaw) {

address userAddress = address(bytes20(userData));

...

localData.lpTokenDepositValueNow = getPoolLPTokenValue(localData.prices, pool, MULDIRECTION.MULDOWN);

FeeData[] storage feeDataArray = poolsFeeData[pool][userAddress];

localData.feeDataArrayLength = feeDataArray.length;

localData.amountLeft = bptAmountIn;

for (uint256 i = localData.feeDataArrayLength - 1; i >= 0; --i) {

localData.lpTokenDepositValue = feeDataArray[i].lpTokenDepositValue;

=> localData.lpTokenDepositValueChange =

=> (int256(localData.lpTokenDepositValueNow) - int256(localData.lpTokenDepositValue)) /

=> int256(localData.lpTokenDepositValue);

uint256 feePerLP;

if (localData.lpTokenDepositValueChange > 0) {

feePerLP = (uint256(localData.lpTokenDepositValueChange) * uint256(feeDataArray[i].upliftFeeBps) * 1e18) / 10000;

}

else {

feePerLP = (uint256(minWithdrawalFeeBps) * 1e18) / 10000;

}

...

}

...

}

The formula is lpTokenDepositValueChange = (lpTokenDepositValueNow - lpTokenDepositValue) / lpTokenDepositValue

This formula always returns 0 when lpTokenDepositValueNow - lpTokenDepositValue is less than lpTokenDepositValue. For example, if lpTokenDepositValueNow = 1999 and lpTokenDepositValue = 1000, the calculation results in 0 ((1999 - 1000) / 1000 = 0).
This leads to lpTokenDepositValueChange equaling 0 in cases where lpTokenDepositValueNow < 2 * lpTokenDepositValue. Consequently, the feePerLP is miscalculated, potentially causing the overall fee amount to be less than intended, resulting in financial loss.

Impact

The incorrect calculation of the fee amount may lead to financial discrepancies, causing a loss for the protocol.

Recommendations

Update the formula to ensure accurate calculation of lpTokenDepositValueChange.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_onAfterRemoveLiquidity_lpTokenDepositValueChange_rounding_error_100%_minimum

Likelihood: High, every call to the function (withdraw) Impact: Low/Medium, uplift fees will be applied only when the price of one asset is doubled but fixed fees will still be collected.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.