QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Unauthorized State Modification of `approvedOracles` in the `removeOracle` Function of `UpdateWeightRunner.sol` Contract

eta

Summary

The removeOracle function in the UpdateWeightRunner.solcontract demonstrates a critical issue where state changes of approvedOracles are made before msg.sender permissions are verified. This flaw enables unauthorized modifications to the approvedOracles mapping, potentially leading to system vulnerabilities.

Vulnerability Details

pkg/pool-quantamm/contracts/UpdateWeightRunner.sol:removeOracle#L220

function removeOracle(OracleWrapper _oracleToRemove) external {

approvedOracles[address(_oracleToRemove)] = false; // @audit State change occurs before permission check

require(msg.sender == quantammAdmin, "ONLYADMIN"); // @audit Permission check is too late

emit OracleRemved(address(_oracleToRemove));

}

Incorrect Permission Check Order in removeOracle: The state change (approvedOracles[address(_oracleToRemove)] = false) is performed before the admin permission check (require(msg.sender == quantammAdmin, "ONLYADMIN")), allowing unauthorized users to modify the oracle's state.

If state modifications are performed before condition checks are completed, and the condition fails, triggering a revert, the changes will be rolled back. However, during the execution of complex logic, there might be a temporary state inconsistency that could potentially be exploited by malicious users.

Impact

Unauthorized users could remove valid oracles by exploiting the incorrect permission check order in removeOracle. This could destabilize pools reliant on the removed oracles for accurate data.
If state changes occur before checks and a revert is triggered, temporary inconsistencies during execution could be exploited by malicious users.

Tools Used

Manual Review

Recommendations

It is recommended to enforce permission checks before making state changes:

function removeOracle(OracleWrapper _oracleToRemove) external {

require(msg.sender == quantammAdmin, "ONLYADMIN"); // @audit Check permissions first

approvedOracles[address(_oracleToRemove)] = false; // @audit Update state after validation

emit OracleRemoved(address(_oracleToRemove));

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!