QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Unchecked arithmetic operations and unsafe loop increments in QuantAMMGradientBasedRule contract

zubyoz

Summary

The QuantAMMGradientBasedRule contract contains multiple instances of unchecked arithmetic operations and unsafe loop increments that could lead to overflows, underflows, and potential division by zero errors. These issues could result in incorrect gradient calculations and potentially compromise the pool's weight updates.

Vulnerability Details

The vulnerabilities are present in several critical areas of the contract:
https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/rules/base/QuantammGradientBasedRule.sol#L71-L101

Unchecked Loop Increments:

for (uint i; i < numberOfAssetsMinusOne; ) {

// ... calculations ...

unchecked {

i += 2;

++locals.storageArrayIndex;

}

Unsafe Power and Division Operations:
https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/rules/base/QuantammGradientBasedRule.sol#L61

locals.mulFactor = oneMinusLambda.pow(THREE).div(convertedLambda);

Unchecked Arithmetic in Gradient Calculations:
https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/rules/base/QuantammGradientBasedRule.sol#L73-L75

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/rules/base/QuantammGradientBasedRule.sol#L84-L88

locals.intermediateValue =

convertedLambda.mul(locals.intermediateGradientState[i]) +

(_newData[i] - _poolParameters.movingAverage[i]).div(oneMinusLambda);

// Lines 84-88

locals.secondIntermediateValue =

convertedLambda.mul(locals.intermediateGradientState[locals.secondIndex]) +

(_newData[locals.secondIndex] - _poolParameters.movingAverage[locals.secondIndex]).div(

oneMinusLambda

);

Unchecked Array Access:
https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/rules/base/QuantammGradientBasedRule.sol#L92-L95

intermediateGradientStates[_poolParameters.pool][locals.storageArrayIndex] = _quantAMMPackTwo128(

locals.intermediateGradientState[i],

locals.secondIntermediateValue

);

Impact

The vulnerabilities could lead to:

Silent overflows/underflows in weight calculations
Incorrect gradient computations due to arithmetic errors
Potential division by zero errors
Array access out of bounds
Accumulation of computational errors in loop iterations
Potential manipulation of pool weights through carefully crafted inputs

Severity: High, as these issues could affect the core functionality of the pool's weight calculations and potentially lead to financial losses.

Tools Used

Manual code review

Recommendations

Add Input Validation:

function _calculateQuantAMMGradient(

int256[] memory _newData,

QuantAMMPoolParameters memory _poolParameters

) internal returns (int256[] memory) {

require(_newData.length == _poolParameters.numberOfAssets, "Invalid input length");

require(_poolParameters.lambda[0] != 0, "Lambda cannot be zero");

require(_poolParameters.lambda[0] != ONE, "Lambda cannot be one");

}

Implement Safe Arithmetic:

// Replace unchecked operations with safe arithmetic

locals.mulFactor = oneMinusLambda.pow(THREE);

require(convertedLambda != 0, "Division by zero");

locals.mulFactor = locals.mulFactor.div(convertedLambda);

Add Bounds Checking:

require(locals.storageArrayIndex < intermediateGradientStates[_poolParameters.pool].length, "Index out of bounds");

Implement Value Range Validation:

// After critical calculations

require(locals.intermediateValue < MAX_VALUE, "Value exceeds maximum");

require(locals.intermediateValue > MIN_VALUE, "Value below minimum");

Consider Using SafeMath:

For critical calculations, consider using SafeMath library even with Solidity 0.8+ to ensure explicit checks
Add explicit overflow checks for important arithmetic operations

Add Circuit Breakers:

Implement maximum and minimum thresholds for gradient values
Add emergency stops if calculations exceed safe bounds

Improve Documentation:

Document expected value ranges for all parameters
Add explicit warnings about potential numerical limitations
Document assumptions about input values and their relationships

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.