QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

`UpdateWeightRunner` - Logical flaw in permission logic on `quantammAdmin`

bladesec

Title

UpdateWeightRunner - Logical flaw in permission logic on quantammAdmin

Summary

If both MASK_POOL_OWNER_UPDATES and MASK_POOL_QUANTAMM_ADMIN_UPDATES are enabled for a pool, a logical flaw in the implementation prevents the quantammAdmin from accessing key functions as the checks prioritize the pool manager and inadvertently exclude the admin.

Vulnerability Details

MASK_POOL_OWNER_UPDATES represents the allowance for pool owners to update weights, while MASK_POOL_QUANTAMM_ADMIN_UPDATES represents the allowance for the QuantAMM admin the ability to perform administrative updates.
However, if both flags are enabled for a pool, the quantammAdmin will be unable to call the main functions including InitialisePoolLastRunTime, setIntermediateValuesManually, and setWeightsManually.

This is caused by a logical flaw in the implementation of these functions, which fails to correctly handle scenarios where both flags are active.

Let's take a look at setWeightsManually function:

function setWeightsManually(
int256[] calldata _weights,
address _poolAddress,
uint40 _lastInterpolationTimePossible,
uint _numberOfAssets
) external {
uint256 poolRegistryEntry = QuantAMMWeightedPool(_poolAddress).poolRegistry();
if (poolRegistryEntry & MASK_POOL_OWNER_UPDATES > 0) {
require(msg.sender == poolRuleSettings[_poolAddress].poolManager, "ONLYMANAGER");
} else if (poolRegistryEntry & MASK_POOL_QUANTAMM_ADMIN_UPDATES > 0) {
require(msg.sender == quantammAdmin, "ONLYADMIN");
} else {
revert("No permission to set weight values");
}
//though we try to keep manual overrides as open as possible for unknown unknows
//given how the math library works weights it is easiest to define weights as 18dp
//even though technically G3M works of the ratio between them so it is not strictly necessary
//CYFRIN L-02
for (uint i; i < _weights.length; i++) {
if (i < _numberOfAssets) {
require(_weights[i] > 0, "Negative weight not allowed");
require(_weights[i] < 1e18, "greater than 1 weight not allowed");
}
}
IQuantAMMWeightedPool(_poolAddress).setWeights(_weights, _poolAddress, _lastInterpolationTimePossible);
emit SetWeightManual(msg.sender, _poolAddress, _weights, _lastInterpolationTimePossible);
}

As seen above, it prioritizes checking for the pool manager, which can inadvertently exclude the quantammAdmin from accessing the function. As a result, the quantammAdmin is unable to execute the function.

Impact

The logical flaw prevents the quantammAdmin from executing critical functions like InitialisePoolLastRunTime, setIntermediateValuesManually, and setWeightsManually when both MASK_POOL_OWNER_UPDATES and MASK_POOL_QUANTAMM_ADMIN_UPDATES are enabled.

This can result in the admin being unable to perform necessary updates or corrections to the pool, potentially leaving the pool in an incorrect or vulnerable state. It also undermines the intended permissions structure, which could disrupt the protocol's operations and create inefficiencies in managing the pool.

Tools Used

Manual Review

Recommendations

Modify the permission checks in the affected functions to ensure that both MASK_POOL_OWNER_UPDATES and MASK_POOL_QUANTAMM_ADMIN_UPDATES are properly handled.
Specifically, adjust the logic to allow the quantammAdmin to access these functions.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

invalid_manual_functions_cannot_be_called_by_admin_when_pool_owner_can

Design choice confirmed by the sponsor.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.