QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: high
Invalid

Unbounded Power Exponents in Channel Rules Can Lead to Pool Weight Manipulation

4gontuk

Summary

Lack of upper bounds on power exponents in channel-based update rules allows manipulation of pool weights through precision loss, potentially leading to significant value extraction through arbitrage.

Vulnerability Details

The QuantAMM protocol uses power-based calculations in its channel update rules (PowerChannelUpdateRule and ChannelFollowingUpdateRule) to dynamically adjust pool weights. These rules calculate weight adjustments using power exponentiation where the exponent q is provided as a parameter.

While the protocol implements weight guardrails through QuantAMMMathGuard to prevent extreme weight shifts, the core vulnerability exists in the initial power calculation stage of PowerChannelUpdateRule._getWeights():

locals.q = _parameters[1][0]; // No upper bound validation
locals.intermediateRes = ONE.div(locals.denominator).mul(locals.newWeights[locals.i]);
locals.sign = locals.intermediateRes >= 0 ? ONE : -ONE;
locals.newWeights[locals.i] = locals.sign.mul(_pow(locals.intermediateRes.abs(), locals.q));

The contract lacks an upper bound check for the q parameter before performing power calculations. While QuantAMMMathGuard._guardQuantAMMWeights() provides some protection through _epsilonMax and _absoluteWeightGuardRail, these guardrails only apply after the power calculation has already potentially suffered from precision loss. The power calculation uses PRBMath library's exponential functions, which can produce extremely small or large numbers when the exponent is large, leading to severe precision loss in the fixed-point arithmetic system.

This precision loss occurs before the weight normalization process and guardrail checks, allowing the pool weights to shift in unintended ways despite the presence of safety mechanisms. The issue is particularly severe because the precision loss compounds with each update cycle, gradually pushing the pool weights towards imbalanced states that create arbitrage opportunities.

Impact

High severity as unbounded power exponents can cause severe precision loss in weight calculations, leading to pool imbalances and arbitrage opportunities. The systemic nature affects all channel-based rules and becomes more severe with frequent updates.

Proof of Concept

  1. Attacker identifies a pool using PowerChannelUpdateRule:

    • Initial weights: [5e18, 5e18] (50-50 split)

    • Current price: 1e18 ($1)

    • Price gradient: 0.1e18 (10% increase)

  2. Attacker sets a large q parameter:

q = 50e18 // No upper bound check prevents this

  1. Weight calculation executes:

// intermediateRes = (1e18/1e18) * 0.1e18 = 0.1e18
intermediateRes = ONE.div(price).mul(price_gradient)
// Power calculation with large exponent
result = _pow(0.1e18, 50e18) // 0.1^50 ≈ 1e-50
// Results in effective zero due to precision loss

  1. Weight adjustment becomes ineffective:

newWeight = prevWeight + kappa * (0 - normalization)
// Weight shifts in unintended direction

  1. Attacker exploits the imbalanced weights through arbitrage trades, extracting value from the pool.

Tools Used

Manual Review

Recommended Mitigation Steps

Implement strict upper bounds for power exponents in channel-based rules and introduce a safe power calculation function that uses Taylor series approximation for values near 1 to maintain precision. This ensures power calculations remain within safe bounds while preserving the intended weight adjustment behavior.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.