QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing NFT Burn Mechanism on Liquidity Removal

bladesec

Title

Missing NFT Burn Mechanism on Liquidity Removal

Summary

QuantAMM Protocol's liquidity removal process has a serious flaw. While withdrawing the liquidity via the removeLiquidityProportional function, the LP NFTs representing ownership of liquidity are not burned.
This could leave the owners opportunities for unauthorized interactions, protocol manipulation, and potential exploitation.

Vulnerability Details

Here's the implementation of removeLiquidityProportional function of UpliftOnlyExample contract:

function removeLiquidityProportional(

uint256 bptAmountIn,

uint256[] memory minAmountsOut,

bool wethIsEth,

address pool

) external payable saveSender(msg.sender) returns (uint256[] memory amountsOut) {

uint depositLength = poolsFeeData[pool][msg.sender].length;

if (depositLength == 0) {

revert WithdrawalByNonOwner(msg.sender, pool, bptAmountIn);

}

// Do removeLiquidity operation - tokens sent to msg.sender.

amountsOut = _removeLiquidityProportional(

pool,

address(this),

msg.sender,

bptAmountIn,

minAmountsOut,

wethIsEth,

abi.encodePacked(msg.sender)

);

}

As seen above, during liquidity removal via removeLiquidityProportional, the protocol does not implement the corresponding burn mechanism to destroy the NFT associated with the withdrawn liquidity.

This flaw allows users to retain the ownership of NFTs even after liquidity has been fully withdrawn, resulting in invalid representations of liquidity positions. It can lead to potential exploitation on governance mechanisms, claim rewards etc.

Impact

The missing NFT burn mechanism has several severe consequences:

Unauthorized Reward Claims: Users may continue to claim liquidity rewards even after withdrawing their liquidity, leading to economic losses for the protocol.
Fraudulent Transfers: Malicious actors can transfer or sell these "ghost" NFTs, deceiving unsuspecting buyers into purchasing invalid tokens.
This vulnerability poses a significant risk to the protocol's security, governance integrity, and economic stability.

Tools Used

Manual Review

Recommendations

Implement an NFT burn mechanism during liquidity removal in removeLiquidityProportional function.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.