Integer Overflow in `calculateBlockNormalisedWeight`
Summary
Integer Overflow in calculateBlockNormalisedWeight
Vulnerability Details
The multiplication multiplier * 1e18 in calculateBlockNormalisedWeight can result in an overflow if multiplier is sufficiently large, exceeding the maximum value of int256. Though the function uses FixedPoint.mulDown and FixedPoint.mulUp, they will not prevent the overflow during the calculation of multiplierScaled18. Also, the mulUp and mulDown could overflow if timeSinceLastUpdate and multiplierScale18 are high enough
https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/QuantAMMWeightedPool.sol#L527
Impact
A malicious actor can set a large enough multiplier such that when it's multiplied by 1e18 it results in an overflow, resulting in incorrect weight calculations. This could lead to financial losses for users due to an inaccurate price feed.
Tools Used
vscode
Recommendations
Use SafeMath or similar overflow-safe operations for arithmetic operations involving multiplier, 1e18, and timeSinceLastUpdate. Cast to uint256 only after checks, to make sure that the int256 is a positive number.
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.