QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

In UpliftOnlyExample contract, restriction of 100 deposits/user can be violated.

triangulum

Summary

In UpliftOnlyExample.sol, the user is restricted to 100 deposits to avoid Ddos issues. However, number of a particular user’s deposit can exceed 100 count by ‘1’ in the UpliftOnlyExample.sol.

Vulnerability Details

In the function addLiquidityProportional in UpliftOnlyExample.sol, the user is restricted to 100 deposits to avoid Ddos issues. But the user can exceed this value by ‘1’ due to the check imposed in the ‘if’ logic at line #226.

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-hooks/contracts/hooks-quantamm/UpliftOnlyExample.sol#L225-L228

) external payable saveSender(msg.sender) returns (uint256[] memory amountsIn) {
if (poolsFeeData[pool][msg.sender].length > 100) {
revert TooManyDeposits(pool, msg.sender);
}

Here, the user is able to add liquidity even if the number of deposits by this user equals 100 as the condition “(poolsFeeData[pool][msg.sender].length > 100)” evaluates to False.

Impact

The user is restricted to 100 deposits to avoid Ddos issues.
Likelihood is medium but the impact is low.

Tools Used

Manual review

Recommended Mitigation

Consider checking as “poolsFeeData[pool][msg.sender].length > 99” or “poolsFeeData[pool][msg.sender].length >= 100”. The modified portion of code can be:

) external payable saveSender(msg.sender) returns (uint256[] memory amountsIn) {
if (poolsFeeData[pool][msg.sender].length >= 100) { //@audit modified
revert TooManyDeposits(pool, msg.sender);
}
Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_Uplift_101_deposit_strict_equal

Only 1 more NFT won’t have any impact. Informational.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.