Shared Storage Variable for Swap Fees and Uplift Fees
Summary
The quantAMMSwapFeeTake storage variable is used for both swap fees and uplift fees due to a bug in the setQuantAMMUpliftFeeTake function.
This means the two logically distinct fee parameters share the same storage, leading to potential overwriting, miscalculations, or protocol misbehavior.
Vulnerability Details
The setQuantAMMUpliftFeeTake function overwrites the quantAMMSwapFeeTake variable instead of using a separate variable for the uplift fee:
The intended functionality is to allow the admin to independently set the swap fee (quantAMMSwapFeeTake) and the uplift fee (quantAMMUpliftFeeTake).
However, both functions operate on the same variable (quantAMMSwapFeeTake), causing them to overwrite each other.
Additionally, the getQuantAMMUpliftFeeTake function incorrectly retrieves the quantAMMSwapFeeTake value:
Impact
Changes to the uplift fee inadvertently overwrite the swap fee and vice versa, leading to incorrect fee amounts being applied in protocol operations.
Recommendations
Implement separate storage variables for each fee type
Lead Judging Commences
finding_quantAMMSwapFeeTake==quantAMMUplfitFeeTake
Likelyhood: High, calling setters or getters Impact: Low/Medium, both getters return `quantAMMSwapFeeTake` and `setQuantAMMUpliftFeeTake` modify `quantAMMUplfitFeeTake`. Real impact: those 2 values will be always the same.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.