Weight Normalization Bypass in QuantAMM Guard Rails Due to Single-Weight Correction
Vulnerability Detail
The QuantAMMMathGuard contract implements guard rails for weight updates in the QuantAMM protocol through its _normalizeWeightUpdates() function. This function is responsible for ensuring that weight updates respect both the maximum change limit (_epsilonMax) and that weights sum to ONE (1e18).
The current implementation attempts to correct any deviation from the target sum by adding the entire difference to the first weight:
This creates a vulnerability where an attacker could manipulate input weights to force a large correction on the first weight, potentially breaking the guard rail constraints. While the implementation assumes corrections will be minimal (around 1e-18), there's no enforcement of this assumption.
For example, if an attacker provides weights that sum to significantly less than ONE after epsilon-based rescaling, the entire difference would be added to _newWeights[0], potentially causing it to exceed the _absoluteWeightGuardRail limit that was previously enforced by _clampWeights().
Impact
Pool weights can be manipulated beyond their intended guard rail limits, enabling potential price manipulation.
Recommendation
Implement proportional distribution of weight corrections across all tokens instead of applying to a single weight:
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.