Input validation gap in _calculateQuantAMMMovingAverage
allows mismatched array lengths, where _newData.length
can exceed _numberOfAssets
.
Function is only callable by updateWeightRunner
, limiting this to an admin error like scenario. Could lead to unintended data omission if admin provides mismatched arrays.
PoC:
Add exposedCalculateQuantAMMMovingAverage
in pkg/pool-quantamm/contracts/mock/mockRules/MockUpdateRule.sol
And testMismatchedArrayLengthsPoC
in pkg/pool-quantamm/test/foundry/rules/UpdateRule.t.sol
then run the test ;)
Add explicit validation:
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.