Unbounded Loop in `quantAMMUnpack32Array`
Summary
Unbounded Loop in quantAMMUnpack32Array
Vulnerability Details
The quantAMMUnpack32Array function has nested for loops with no limit on the length of _sourceArray except for the one from require(_sourceArray.length * 8 >= _targetArrayLength, \"SRC!=TGT\"); which is not enough, as _targetArrayLength is controlled by the user as well, so the loops can consume too much gas, causing a denial of service.
https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/QuantAMMStorage.sol#L126
Impact
A malicious user can provide a large _sourceArray and _targetArrayLength, leading to a gas exhaustion and denial-of-service when the contract tries to process it, preventing further updates.
Tools Used
vscode
Recommendations
Implement checks to ensure the size of the input _sourceArray and _targetArrayLength do not exceed a reasonable limit. Consider setting a maximum length for _sourceArray or implementing a pagination mechanism for processing large arrays.
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.