QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

`_poolVersion` not being used to track version for created pools

mbushbush

`_poolVersion` not being used to track version for created pools

Code Snippets

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/QuantAMMWeightedPoolFactory.sol#L100

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/QuantAMMWeightedPoolFactory.sol#L145

Summary

QuantAMMWeightedPoolFactory uses createWithoutArgs and create functions, which ignores _poolVersion state variable. Instead, a string value "version" was used.

Vulnerability Details

"version" string is used to initialize a new pool. This approach hinders version tracking and management, making it challenging for protocol teams to monitor or update pools efficiently.

function create(NewPoolParams memory params) external returns (address pool, bytes memory poolArgs) {

if (params.roleAccounts.poolCreator != address(0)) {

revert StandardPoolWithCreator();

}

LiquidityManagement memory liquidityManagement = getDefaultLiquidityManagement();

liquidityManagement.enableDonation = params.enableDonation;

// disableUnbalancedLiquidity must be set to true if a hook has the flag enableHookAdjustedAmounts = true.

liquidityManagement.disableUnbalancedLiquidity = params.disableUnbalancedLiquidity;

poolArgs = abi.encode(

QuantAMMWeightedPool.NewPoolParams({

name: params.name,

symbol: params.symbol,

numTokens: params.normalizedWeights.length,

--> version: "version",

updateWeightRunner: _updateWeightRunner,

poolRegistry: params.poolRegistry,

poolDetails: params.poolDetails

}),

getVault()

);

Impact

Using a "version" string complicates version tracking and pool updates, reducing efficiency for protocol management.

Tools Used

Manual Review

Recommendations

Use _poolVersion in place of "version" string, so that it tracks correct version of the pool.

Updates

Lead Judging Commences

n0kto Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid_hardcoded_version

Version is immutable as specified in Version.sol and can be what the developer wants. It is hardcoded and will be changed by the admin for every deployment. No real impact here.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

QuantAMM

`_poolVersion` not being used to track version for created pools

_poolVersion not being used to track version for created pools

Code Snippets

Summary

Vulnerability Details

Impact

Tools Used

Recommendations

Lead Judging Commences

invalid_hardcoded_version

Prize pool breakdown

Live

Judging

Appeals

Appeals Review

Rewards Distribution

FAQs

`_poolVersion` not being used to track version for created pools