Incorrect Index Adjustment in _getNormalizedWeight Can Lead to Wrong Weights/Multipliers
Summary
the code subtracts 4 from tokenIndexInPacked when tokenIndex >= 4. This is problematic because the second 256-bit storage slot (_normalizedSecondFourWeights) always stores 4 tokens + 4 multipliers in packed form. However, using tokenIndexInPacked = totalTokens - 4 (or subtracting 4 from totalTokens) incorrectly calculates the offset for retrieving multipliers within _calculateCurrentBlockWeight. This leads to the wrong index being used for the token’s multiplier, which can yield incorrect weight calculations at runtime.
Vulnerability Details
Impact
Incorrect Weight/Mulitplier Retrieval: The pool’s weight calculations can become skewed, resulting in inaccurate price ratios or potentially exploitable mispricing.
User-Facing Consequences: Swaps, AMM logic, or any processes that rely on correct weights may behave incorrectly, impacting user trades or liquidity provisioning.
Tools Used
Manual audit
Recommendations
-
Use a Fixed Offset (4) for the Second Slot
Instead of subtracting 4 from totalTokens, set tokenIndexInPacked = 4 whenever tokenIndex >= 4. For example:if (tokenIndex >= 4) {index = tokenIndex - 4;targetWrappedToken = _normalizedSecondFourWeights;tokenIndexInPacked = 4; // use a fixed offset} else {if (totalTokens > 4) {tokenIndexInPacked = 4;}targetWrappedToken = _normalizedFirstFourWeights;} -
Add Comments or Documentation
If this logic is deliberate for some reason, clarify how each chunk (first four weights vs. second four) is packed, to reduce future confusion.
By ensuring a consistent offset of 4 for the second slot, the correct multiplier will be fetched from the array returned by quantAMMUnpack32, avoiding miscalculations.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.