QuantAMM

QuantAMM
49,600 OP
View results
Submission Details
Severity: low
Invalid

Unauthorized pool update in `UpdateWeightRunner.sol` allows any user to trigger an update for a pool they do not own

Summary

A vulnerability in the UpdateWeightRunner.sol contract allows any user to trigger an update for a pool they do not own. This can lead to unauthorized updates, disrupting the pool's intended operation.

Vulnerability Details

The performUpdate function in the contract allows any user to trigger an update for a pool, regardless of ownership. The function does not include any checks to verify if the caller is authorized to perform the update. This can lead to unauthorized updates, which can disrupt the pool's intended operation and lead to financial losses.

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol#L279-L300

function performUpdate(address _pool) public {
// Main external access point to trigger an update
address rule = address(rules[_pool]);
require(rule != address(0), "Pool not registered");
PoolRuleSettings memory settings = poolRuleSettings[_pool];
require(
block.timestamp - settings.timingSettings.lastPoolUpdateRun >= settings.timingSettings.updateInterval,
"Update not allowed"
);
uint256 poolRegistryEntry = approvedPoolActions[_pool];
if (poolRegistryEntry & MASK_POOL_PERFORM_UPDATE > 0) {
_performUpdateAndGetData(_pool, settings);
// emit event for easier tracking of updates and to allow for easier querying of updates
emit UpdatePerformed(msg.sender, _pool);
} else {
revert("Pool not approved to perform update");
}
}

PoC:

Using the following values:

  • block.timestamp: 1,000,000

  • settings.timingSettings.lastPoolUpdateRun: 900,000

  • settings.timingSettings.updateInterval: 100,000

  • approvedPoolActions[_pool]: 1 (indicating approval)

Any user can call the performUpdate function with the _pool address to trigger an update.

pragma solidity ^0.8.0;
import "forge-std/Test.sol";
import "../UpdateWeightRunner.sol";
contract UpdateWeightRunnerTest is Test {
UpdateWeightRunner runner;
address pool = address(0x123);
address unauthorizedUser = address(0x456);
function setUp() public {
runner = new UpdateWeightRunner();
// Set up initial state
runner.registerPool(pool, 100000, 900000, 1);
}
function testUnauthorizedUpdate() public {
vm.prank(unauthorizedUser);
runner.performUpdate(pool);
}
}

Impact

The vulnerability allows any user to trigger an update for any pool, regardless of ownership. This can lead to unauthorized updates, disrupting the pool's intended operation and causing financial losses.

Tools Used

Manual review.

Recommendations

Add a check to verify if the caller is authorized to perform the update. For example, add an onlyOwner modifier or a similar access control mechanism.

function performUpdate(address _pool) public onlyOwner {
// Main external access point to trigger an update
address rule = address(rules[_pool]);
require(rule != address(0), "Pool not registered");
PoolRuleSettings memory settings = poolRuleSetting[_pool];
require(
block.timestamp - settings.timingSettings.lastPoolUpdateRun >= settings.timingSettings.updateInterval,
"Update not allowed"
);
uint256 poolRegistryEntry = approvedPoolActions[_pool];
if (poolRegistryEntry & MASK_POOL_PERFORM_UPDATE > 0) {
_performUpdateAndGetData(_pool, settings);
// emit event for easier tracking of updates and to allow for easier querying of updates
emit UpdatePerformed(msg.sender, _pool);
} else {
revert("Pool not approved to perform update");
}
}

Additionally, add a check that will identify the owner of the pool.

Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.