QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Insufficient parameter validation in MomentumUpdateRule contract

zubyoz

Summary

The MomentumUpdateRule contract contains inadequate validation for the kappa parameter in its validParameters function. This could allow malicious or erroneous inputs to affect the weight calculations of the pool, potentially leading to economic vulnerabilities or system instability.

Vulnerability Details

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/rules/MomentumUpdateRule.sol#L163

if (!(kappa[i] > 0)) {

valid = 0;

break;

}

This validation is insufficient as it only checks if kappa values are greater than zero, without implementing proper bounds checking or considering the impact of extreme values on the weight calculations.

Impact

The vulnerability can manifest in several ways:

Economic Impact Scenario:
An attacker could input extremely large kappa values that pass the basic validation
These values would be used in the weight calculation formula: w(t) = w(t − 1) + κ · ( 1/p(t) * ∂p(t)/∂t − ℓp(t))
This could result in extreme weight adjustments, potentially leading to:
Unintended asset allocation
Market manipulation opportunities
Destabilization of pool economics
Technical Impact:
Large kappa values could cause numerical instability
Potential overflow in calculations despite using PRBMath
Unexpected behavior in weight updates affecting pool balance

Example Attack Scenario:

Attacker identifies the lack of upper bounds in kappa validation
They input a very large kappa value that passes the > 0 check
This causes extreme weight adjustments in the _getWeights function
Pool weights become severely imbalanced
Attacker exploits this imbalance for financial gain

Tools Used

Manual code review

Recommendations

Implement proper bounds checking for kappa values:

function validParameters(int256[][] calldata _parameters) external pure override returns (bool) {

if (_parameters.length == 1 || (_parameters.length == 2 && _parameters[1].length == 1)) {

int256[] memory kappa = _parameters[0];

uint16 valid = uint16(kappa.length) > 0 ? 1 : 0;

for (uint i; i < kappa.length; ) {

// Add upper bound check

if (!(kappa[i] > 0) || kappa[i] > MAX_KAPPA_VALUE) {

valid = 0;

break;

}

unchecked { ++i; }

}

return valid == 1;

}

return false;

}

Add parameter interdependency validation:
Validate kappa array length matches pool assets
Implement reasonable bounds based on economic models
Add checks for parameter relationships
Consider implementing emergency controls:
Add ability to pause weight updates if extreme values are detected
Implement gradual weight adjustment limits
Add monitoring for unusual weight changes
Add documentation specifying safe parameter ranges and their economic implications

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.