QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Invalid `lastPoolUpdateRun` Set by Malicious Pool Owner Causes Denial of Service

bladesec

Title

Invalid lastPoolUpdateRun Set by Malicious Pool Owner Causes Denial of Service

Summary

The InitialisePoolLastRunTime function in UpdateWeightRunner contract can be called by pool admin to set the lastPoolUpdateRun timestamp for a pool.
With no validation on validity of provided timestamp, a future timestamp could be set which will cause the performUpdate function to revert

Vulnerability Details

The InitialisePoolLastRunTime function allows setting an arbitrary timestamp for lastPoolUpdateRun:

function InitialisePoolLastRunTime(address _poolAddress, uint40 _time) external {

uint256 poolRegistryEntry = approvedPoolActions[_poolAddress];

//current breakglass settings allow pool creator trigger. This is subject to review

if (poolRegistryEntry & MASK_POOL_OWNER_UPDATES > 0) {

require(msg.sender == poolRuleSettings[_poolAddress].poolManager, "ONLYMANAGER");

} else if (poolRegistryEntry & MASK_POOL_QUANTAMM_ADMIN_UPDATES > 0) {

require(msg.sender == quantammAdmin, "ONLYADMIN");

} else {

revert("No permission to set last run time");

}

>> poolRuleSettings[_poolAddress].timingSettings.lastPoolUpdateRun = _time;

emit PoolLastRunSet(_poolAddress, _time);

}

If lastPoolUpdateRun is set to a timestamp in the future, then block.timestamp - settings.timingSettings.lastPoolUpdateRun will go negative that results in a failure in performUpdate function.

This vulnerability particularly affects pools where the pool creator is untrusted. As stated documentation, scenarios where pool creators manipulate pool operations are considered in-scope.

Impact

If a future timestamp is set for lastPoolUpdateRun, the pool will be unable to process updates until the blockchain's timestamp catches up. This means the pool's weights won't adjust as intended, which can result in incorrect pricing, increased impermanent loss for liquidity providers, and opportunities for malicious attackers

Also, it gives malicious pool owners the ability to control when updates occur, potentially disrupting the pool's performance and harming LPs.

Tools Used

Manual Review

Recommendations

To prevent this issue, ensure that the timestamp provided in the InitialisePoolLastRunTime function is not set in the future.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.