QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: high

Invalid

Anyone can set a rule for a pool of the weighted settings for the pool in the update weight runner contract can be DoSed

gbadebosmith

Summary

By allowing anybody to set a rule for a pool of the settings for the pool in the update weight runner contract it allows malicious users to change the weighted pool settings of the update weight runner contract.

Vulnerability Details

The UpdateWeightRunner::setRuleForPool() function has no access control to restrict who can call this function. This allows anybody to set the rule for the weighted pool in this contract to any listed in IQuantAMMWeightedPool.PoolSettings.

The vulnerable function is:

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol#L235-L276

function setRuleForPool(IQuantAMMWeightedPool.PoolSettings memory _poolSettings) external {

require(address(rules[msg.sender]) == address(0), "Rule already set");

require(_poolSettings.oracles.length > 0, "Empty oracles array");

require(poolOracles[msg.sender].length == 0, "pool rule already set");

for (uint i; i < _poolSettings.oracles.length; ++i) {

require(_poolSettings.oracles[i].length > 0, "Empty oracles array");

for (uint j; j < _poolSettings.oracles[i].length; ++j) {

if (!approvedOracles[_poolSettings.oracles[i][j]]) {

revert("Not approved oracled used");

}

address[] memory optimisedHappyPathOracles = new address[]();

for (uint i; i < _poolSettings.oracles.length; ++i) {

optimisedHappyPathOracles[i] = _poolSettings.oracles[i][0];

}

poolOracles[msg.sender] = optimisedHappyPathOracles;

poolBackupOracles[msg.sender] = _poolSettings.oracles;

rules[msg.sender] = _poolSettings.rule;

poolRuleSettings[msg.sender] = PoolRuleSettings({

lambda: _poolSettings.lambda,

epsilonMax: _poolSettings.epsilonMax,

absoluteWeightGuardRail: _poolSettings.absoluteWeightGuardRail,

ruleParameters: _poolSettings.ruleParameters,

timingSettings: PoolTimingSettings({ updateInterval: _poolSettings.updateInterval, lastPoolUpdateRun: 0 }),

poolManager: _poolSettings.poolManager

});

// emit event for easier tracking of rule changes

emit PoolRuleSet(

address(_poolSettings.rule),

_poolSettings.oracles,

_poolSettings.lambda,

_poolSettings.ruleParameters,

_poolSettings.epsilonMax,

_poolSettings.absoluteWeightGuardRail,

_poolSettings.updateInterval,

_poolSettings.poolManager

);

}

Impact

By allowing anyone to run the setRuleForPool function, which loops through oracle pool settings it can be DoS'ed.

Tools Used

Manual review.

Recommendations

Add the following require statement to the function to validate the sender is legit.

require(msg.sender == quantammAdmin, "ONLYADMIN");

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.