QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Immutable UpdateWeightRunner in `QuantAMMWeightedPoolFactory` forces new factory deployments after hot fixes

0xhuntoor

Summary

The _updateWeightRunner address in QuantAMMWeightedPoolFactory is marked as immutable and can't be changed by setter function, preventing newly created pools from using upgraded versions of the UpdateWeightRunner contract in case of required hotfixes or improvements.

Vulnerability Details

address private immutable _updateWeightRunner;

This creates a scenario where:

  • Protocol team deploys new UpdateWeightRunner with security fixes

  • But new pools are still created with reference to old UpdateWeightRunner

Impact

  1. Prevents protocol upgrades for new pools

  2. Forces deployment of new factory contracts for upgrades

  3. Could leave new pools vulnerable to known issues

Tools Used

  • Manual code review

Recommendations

  • Remove immutable keyword and implement upgradeable pattern:

contract QuantAMMWeightedPoolFactory {
address private _updateWeightRunner;
function setUpdateWeightRunner(address newRunner) external {
require(msg.sender == admin, "Only admin");
require(newRunner != address(0), "Invalid address");
_updateWeightRunner = newRunner;
emit UpdateWeightRunnerChanged(newRunner);
}
}
Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.