QuantAMM

Summary

Users may be unable to add liquidity or transfer LPNFT due to exceeding the protocol's limit on array elements.

Vulnerability Details

The UpliftOnlyExample::afterUpdate function is invoked by the LPNFT contract whenever an LPNFT is transferred between addresses. During this process, a new entry is added to the poolsFeeData mapping for the _to address corresponding to the pool (poolsFeeData[poolAddress][_to]). This can result in the number of elements in poolsFeeData[poolAddress][_to] exceeding the maximum allowed (100 elements).

UpliftOnlyExample::afterUpdate function:

If a user exceeds this limit, they are unable to:

• Add liquidity via UpliftOnlyExample::addLiquidityProportional.

• Transfer their LPNFT when the UpliftOnlyExample::afterUpdate function exceeds the gas limit.

Furthermore, an attacker can exploit this vulnerability by repeatedly calling UpliftOnlyExample::addLiquidityProportional with minimal maxAmountsIn values to generate multiple LPNFTs. These LPNFTs can then be transferred to a target user's address, causing their poolsFeeData to exceed the limit. Once affected, the user must invoke the UpliftOnlyExample::removeLiquidityProportional function to reduce the array size and regain functionality.

Impact

A malicious actor can block targeted users from participating in core protocol functionalities, such as adding liquidity or transferring their LPNFT.

Recommendations

Consider refactoring poolsFeeData to use a more scalable structure that does not impose a strict limit on the number of elements.