QuantAMM

QuantAMM
49,600 OP
View results
Submission Details
Severity: low
Invalid

The `QuantAMMWeightedPoolFactory` uses incorrect version to create the pool

Summary

The QuantAMMWeightedPoolFactory uses incorrect version to create the pool, which circumvents its intended purpose, leading to potential issues in identifying contract versions and any relevant changes or updates that occurred over time.

Vulnerability Details

In QuantAMMWeightedPoolFactory contract, the createWithoutArgs and create functions are using the hardcoded string version to create the QuantAMMWeightedPool pool:

poolArgs = abi.encode(
QuantAMMWeightedPool.NewPoolParams({
name: params.name,
symbol: params.symbol,
numTokens: params.normalizedWeights.length,
version: "version",
updateWeightRunner: _updateWeightRunner,
poolRegistry: params.poolRegistry,
poolDetails: params.poolDetails
}),
getVault()
);

The QuantAMMWeightedPool extends from Version . The comment in the Version contract specifies that the version should take the form of JSON strings containing detailed deployment information:

/**
* @notice Retrieves a contract's version from storage.
* @dev The version is set at deployment time and cannot be changed. It would be immutable, but immutable strings
* are not yet supported.
*
* Contracts like factories and pools should have versions. These typically take the form of JSON strings containing
* detailed information about the deployment. For instance:
*
* `{name: 'ChildChainGaugeFactory', version: 2, deployment: '20230316-child-chain-gauge-factory-v2'}`
*/
contract Version is IVersion {

However, the code simply assigns a string "version" to the version parameter without providing any meaningful or structured information.

This creates a logical inconsistency because the version management system is expected to hold detailed deployment metadata that allows for tracking and auditing of contract versions. By using a generic, hard-coded string, it circumvents its intended purpose, leading to potential issues in identifying contract versions and any relevant changes or updates that occurred over time. The lack of structured versioning information can also enable version confusion, where administrators or users may not be able to discern the actual behavior or state of the contracts.

Impact

The impact is LOW and the likelihood is HIGH, so the severity is LOW.

Tools Used

Manual Review

Recommendations

In balancer-v3-monorepo, the WeightedPoolFactory will use _poolVersion to create the pool, see the code here:

https://github.com/balancer/balancer-v3-monorepo/blob/main/pkg/pool-weighted/contracts/WeightedPoolFactory.sol#L76-L87

So consider using the _poolVersion instead:

poolArgs = abi.encode(
QuantAMMWeightedPool.NewPoolParams({
name: params.name,
symbol: params.symbol,
numTokens: params.normalizedWeights.length,
version: _poolVersion,
updateWeightRunner: _updateWeightRunner,
poolRegistry: params.poolRegistry,
poolDetails: params.poolDetails
}),
getVault()
);
Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_hardcoded_version

Version is immutable as specified in Version.sol and can be what the developer wants. It is hardcoded and will be changed by the admin for every deployment. No real impact here.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.