QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: high
Invalid

Lack of Validation for Exponent Lower Bound in `ChannelFollowingUpdateRule.sol` Contract May Lead to Incorrect Weight Changes due to Small Price Deviations

eta

Summary

The validParameters function of the ChannelFollowingUpdateRule.sol contract does not properly validate the exponents values (q) used in the Power strategy within the Channel Following mechanism. According to the whitepaper and the logic of the code, the exponent q must be greater than 1. The current check only ensures q is greater than 0 but does not verify if it is great than 1. This oversight can result in incorrect weight changes and potentially cause the pool loss, especially when q less than 1.

Vulnerability Details

The issue arises from the lack of validation for the lower bound of the exponent q in the Power strategy. The current code:
pkg/pool-quantamm/contracts/rules/ChannelFollowingUpdateRule.sol:validParameters#L296

function validParameters(int256[][] calldata parameters) external pure override returns (bool valid) {
...
if (_parameters[3][i] <= 0) return false; // exponents must be positive
...

fails to ensure that the exponent q is lgreater than 1, which is a critical condition outlined in the whitepaper and necessary to maintain the stability of the pool. Exponents less than 1 can cause weight changes to be disproportionately sensitive or react with small price deviations by power-channel strategy, in contrary to the anti-momentum strategy required by the white paper, leading to incorrect weight changes in the pool.

whitepaper

Power-Channel: “q, the exponent, is > 1 and sets how strong this non linearity is.”
Channel Following: “For small price deviations, act with anti-momentum (so expecting the trend to revert); and for larger deviations, act with a (power-boosted) momentum (so expecting the trend to continue).”

Additionally, the PowerChannelUpdateRule.sol contract checks whether q, the exponent, is greater than 1, but the ChannelFollowingUpdateRule.sol contract using the same strategy does not perform this check.
pkg/pool-quantamm/contracts/rules/PowerChannelUpdateRule.sol:validParameters#L197-L200

function validParameters(int256[][] calldata parameters) external pure override returns (bool valid) {
...
for (uint i; i < parameters[1].length; ) {
// @audit check whether the exponent q is greater than 1
if(parameters[1][i] <= ONE){
valid = false;
break;
}
unchecked {
++i;
}
}
...

Impact

The failure to validate the lower bound of the exponent (q) can result in the following consequences:

  • Instability of the Pool: When q <= 1, small price changes may cause weight changes by the Power-Channel strategy used in the Channel Following, leading to unpredictable behavior in the pool.

  • Increased Price Fluctuations: With q <= 1, the formula magnifies price movements, which could destabilize the market and affect users' investments.

  • Deviation from Whitepaper Design: The current implementation deviates from the mathematical principles outlined in the whitepaper, risking the system's integrity and functionality.

Tools Used

  • Manual review

Recommendations

To mitigate this vulnerability and ensure the incorrect weight changes of the pool, it is recommended to modify the current validation logic to check that the exponent (q) is greater than 1:

if (_parameters[3][i] <= 1) return false; // exponents must > 1
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!