QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Failure to Update lastPoolUpdateRun

kwakudr

Summary

The performUpdate function does not update lastPoolUpdateRunwhich is unintended.

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol#L279C5-L300C6

Vulnerability Details

function performUpdate(address _pool) public {

//Main external access point to trigger an update

address rule = address(rules[_pool]);

require(rule != address(0), "Pool not registered");

PoolRuleSettings memory settings = poolRuleSettings[_pool];

require(

block.timestamp - settings.timingSettings.lastPoolUpdateRun >= settings.timingSettings.updateInterval,

"Update not allowed"

);

uint256 poolRegistryEntry = approvedPoolActions[_pool];

if (poolRegistryEntry & MASK_POOL_PERFORM_UPDATE > 0) {

_performUpdateAndGetData(_pool, settings);

// emit event for easier tracking of updates and to allow for easier querying of updates

emit UpdatePerformed(msg.sender, _pool);

} else {

revert("Pool not approved to perform update");

}

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol#L279C5-L300C6

The performUpdate function retrieves the PoolRuleSettings for the pool and stores it in a memory variable settings

PoolRuleSettings memory settings = poolRuleSettings[_pool];

It then checks if enough time has passed since the last update

require(block.timestamp - settings.timingSettings.lastPoolUpdateRun >= settings.timingSettings.updateInterval,````"Update not allowed"````);

The function proceeds to call _performUpdateAndGetData, passing settings as an argument

_performUpdateAndGetData(_pool, settings);

However, after performing the update, the code does not update the lastPoolUpdateRun timestamp in the storage variable poolRuleSettings[_pool]

After each successful update, the lastPoolUpdateRun should be set to the current block.timestamp. This ensures that subsequent updates adhere to the updateInterval constraint.

Since the lastPoolUpdateRun is not updated in storage, repeated calls to performUpdate will always find the condition in the require statement to be true (as lastPoolUpdateRun remains at its initial value, likely 0 after deployment)

Impact

The function is intended to enforce a minimum time interval (updateInterval) between updates to prevent excessive or rapid updates but that will not be achieved.

Tools Used

Manual Review

Recommendations

After performing the update, you need to update the lastPoolUpdateRun in the storage variable to reflect the current time.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.