UpliftFee Calculation Can Be Manipulated to Favor Users
Summary
When an LPNFT transfer occurs, the afterUpdate function is triggered, updating the upliftFee and depositValue to their values at that moment. However, during liquidity removal, the onAfterRemoveLiquidity function applies fees to the profits or imposes minimal fees. Users can exploit this system by performing self-transfers of the LPNFT to update its values in a way that minimizes their fees, causing a loss to the protocol.
Vulnerability Details
Since depositValue and upliftFee are updated during LPNFT transfers, users are effectively given the ability to choose the fee structure most advantageous to them. This undermines the protocol's fee collection mechanism.
Impact
The manipulation results in financial loss to the protocol through reduced upliftFee collection.
Tools Used
Manual Review
Recommendations
It is unnecessary to update depositValue and upliftFee during NFT transfers. Adjust the system to prevent these updates to ensure consistent fee collection.
Lead Judging Commences
finding_afterUpdate_bypass_fee_collection_updating_the_deposited_value
Likelihood: High, any transfer will trigger the bug. Impact: High, will update lpTokenDepositValue to the new current value without taking fees on profit.
finding_afterUpdate_update_upliftFeeBps
Likelihood: High, any transfer will trigger the bug. Impact: Low, will update upliftFeeBps to the new current value which will increase or decrease the fees, but at the moment there is no setter for upliftFeeBps ! So it won't change anything (but this setter should exists according the sponsor)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.