Invalid Upper Limit Check of Asset Weight Validation in the `_setRule` Function of the `QuantAMMWeightedPool.sol` Contract
Summary
While the current logic ensures the value is greater than or equal to 0.01 and less than 1/n (where n is the number of tokens) in the _setRule function of the QuantAMMWeightedPool.sol contract, it fails to explicitly enforce the stated upper limit of 0.49.
Additionally, if the weight of one asset is < 1/n, the total weights cannot sum to 1. The absence of this check could result in imbalanced asset weights, disproportionately affecting pool allocations, pricing, etc.
Vulnerability Details
The issue is found in the _setRule function of QuantAMMWeightedPool.sol contract
pkg/pool-quantamm/contracts/QuantAMMWeightedPool.sol:_setRule#L779:
The logic checks:
The guard rail is less than 1/n, where n is the number of tokens.
The guard rail is greater than or equal to 0.01.
However, If the weight of one asset is < 1/n, at least one other asset must have a weight > 1/n. Otherwise, the total weights cannot sum to 1.
Additionally, the comments state that the guard rail value "cannot be more than 0.49 or less than 0.01". The absence of an explicit check for <= 0.49 introduces the risk of exceeding this stated limit. For example: With n = 2, the upper bound 1/n = 0.5. A value of 0.5 would pass validation but violates the intended maximum limit of 0.49.
Impact
-
Imbalance in Asset Weights:
The guard rail ensures that weights for individual assets remain within a reasonable range. If the weight of one asset is < 1/n, at least one other asset must have a weight > 1/n to ensure the total weights sum to 1. Allowing values outside the intended bounds could disrupt this balance, potentially causing:
Disproportionate pool allocations where certain assets dominate the pool, affecting fairness and efficiency.
Deviations from expected pool behavior, leading to issues such as pricing errors, increased slippage, or unintended risks for users.
-
Violation of Intended Constraints:
If n = 2, the current validation allows a guard rail value of 0.5, which contradicts the stated maximum limit of 0.49. This creates a mismatch between the code's logic and its documented intent, leading to unexpected behavior.
Tools Used
Manual Review
Recommendations
It is recommended to add a check to enforce a more reasonable upper limit, for example <= 0.49. Alternatively, please use <= instead of <, as shown below:
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
invalid_sum_of_weights_can_exceeds_one_no_guard
According the sponsor and my understanding, sum of weights does not have to be exactly 1 to work fine. So no real impact here. Please provide a PoC showing a realistic impact if you disagree. This PoC cannot contains negative weights because they will be guarded per clampWeights.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.