Vanguard

First Flight #56

Beginner FriendlyDeFiFoundry

0 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

Phase 3 Returns OVERRIDE_FEE_FLAG Without Fee Value - LPs Earn 0% Fees Permanently After Bot Protection Ends

Author Revealed upon completion

Root + Impact

Description

Root + Impact

Description

In Phase 3 (post-bot-protection), the _beforeSwap function returns only LPFeeLibrary.OVERRIDE_FEE_FLAG without any fee value:

if (currentPhase == 3) {

return (BaseHook.beforeSwap.selector, BeforeSwapDeltaLibrary.ZERO_DELTA, LPFeeLibrary.OVERRIDE_FEE_FLAG);

// @> BUG: Returns 0x800000 - the flag bit is set, but fee bits (lower 23) are all zero

}

In Uniswap V4, OVERRIDE_FEE_FLAG (0x800000) indicates "use this as the fee". The actual fee is in the lower 23 bits. With only the flag set, effective fee = 0x800000 & 0x7FFFFF = 0%.

Compare to penalty handling which correctly combines fee + flag:

return (..., feeOverride | LPFeeLibrary.OVERRIDE_FEE_FLAG); // Correct: fee value OR'd with flag

Risk

Impact: HIGH - LPs earn 0% fees on ALL swaps after Phase 2 ends, permanently. This causes:

Economic Loss: Zero LP revenue after bot protection period
LP Flight: Rational LPs will remove liquidity
Pool Death: No liquidity incentives = unusable pool

Likelihood: HIGH - This is deterministic behavior in every pool using this hook after Phase 2.

Proof of Concept

// Phase 3 returns:

uint24 returnValue = LPFeeLibrary.OVERRIDE_FEE_FLAG; // = 0x800000

// Fee extraction:

uint24 effectiveFee = returnValue & 0x7FFFFF; // = 0

// LP fee = 0% forever!

Recommended Mitigation

Return 0 without the override flag to use pool's default fee:

if (currentPhase == 3) {

- return (..., LPFeeLibrary.OVERRIDE_FEE_FLAG);

+ return (..., 0); // Use pool's configured default fee

}

Describe the normal behavior in one or more sentences
Explain the specific issue or problem in one or more sentences

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
Reason 2

Impact:

Impact 1
Impact 2

Proof of Concept

Recommended Mitigation

- remove this code

+ add this code

Rewards breakdown

nSLOC

273

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!