QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Negative weight propagation and potential underflow

freesultan

Summary

The _getNormalizedWeights function and its helper function calculateBlockNormalisedWeight may propagate invalid negative weights due to insufficient validation at critical stages, including weight initialization, unpacking, and adjustment. While weights are expected to be positive and represent proportions of liquidity, improper handling of arithmetic operations, multipliers, or external inputs could lead to negative weights, disrupting pool functionality and downstream calculations.

Vulnerability Details

_getNormalizedWeights

  • Role: Computes normalized weights for the pool.

  • Issue: Unpacks weights and multipliers using quantAMMUnpack32, but lacks validation to ensure weights are non-negative.

calculateBlockNormalisedWeight

  • Role: Dynamically adjusts weights based on multipliers and elapsed time.

  • Issue: Converts signed weight to unsigned without validation, allowing negative weights to propagate as large positive values due to bitwise casting.

Unpacking Functions (quantAMMUnpack32 and Variants)

  • Role: Extract weights and multipliers from packed storage formats.

  • Issue: Assumes weights are valid, but if initialization or storage corruption introduces negative values, these propagate without validation.

Unvalidated Inputs:

  • Weights unpacked from _normalizedFirstFourWeights and _normalizedSecondFourWeights may be negative if improperly initialized or corrupted.

Impact

Arithmetic Issues:

  • Multipliers applied to weights can reduce positive weights below zero, particularly over long time intervals (timeSinceLastUpdate).

Signed-to-Unsigned Casting:

  • Negative weights cast to uint256 in calculateBlockNormalisedWeight result in underflow, producing large positive values.

Logical Errors:

  • Negative weights violate the core assumption that weights represent proportions and should always be non-negative.

Disruption of Pool Calculations:

  • Invalid weights could destabilize token balances, disrupt swaps, or cause incorrect rebalancing.
    Protocol Integrity:

  • Propagation of invalid weights through external functions could lead to user losses, reputational damage, and diminished trust in the protocol.

Tools Used

Manual Code Review

Recommendations

Validate unpacked weights and multipliers to ensure they are non-negative before further computations in _getNormalizedWeights:

int256[] memory firstFourWeights = quantAMMUnpack32(_normalizedFirstFourWeights);
+ // Validate unpacked weights and multipliers
+ for (uint256 i = 0; i < firstFourWeights.length; i++) {
+ require(firstFourWeights[i] >= 0, "Negative weight unpacked");
+ }
int256[] memory secondFourWeights = quantAMMUnpack32(_normalizedSecondFourWeights);
+ // Validate unpacked weights and multipliers
+ for (uint256 i = 0; i < secondFourWeights.length; i++) {
+ require(secondFourWeights[i] >= 0, "Negative weight unpacked");
+ }

Ensure the weight parameter is non-negative before casting to uint256:

function calculateBlockNormalisedWeight(
int256 weight,
int256 multiplier,
uint256 timeSinceLastUpdate
) internal pure returns (uint256) {
int256 multiplierScaled18 = multiplier * 1e18;
+ // Ensure weight is non-negative
+ require(weight >= 0, "Invalid negative weight");
if (multiplier > 0) {
return uint256(weight) + FixedPoint.mulDown(uint256(multiplierScaled18), timeSinceLastUpdate);
} else {
return uint256(weight) - FixedPoint.mulUp(uint256(-multiplierScaled18), timeSinceLastUpdate);
}
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

invalid_weights_can_be_negative_or_extreme_values

_clampWeights will check that these weights are positive and in the boundaries before writing them in storage.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.