The `QuantAMMWeightedPool` constructor and `initialize` function lack a check to ensure that the deployer and initializer is the `QuantAMMWeightedPoolFactory`.
Summary
The QuantAMMWeightedPool constructor and initialize function do not implement any check to ensure that the deployer and initializer of the QuantAMMWeightedPool contract are the QuantAMMWeightedPoolFactory contract.
Vulnerability Details
A malicious user can deploy its own pool with their own parameters and weights not through factory contract.
The QuantAMMWeightedPool contract can be deployed and initialized by anyone. It does not include any checks to verify that the deployment is done through the factory contract.
A malicious user could deploy the QuantAMMWeightedPool contract and initialize it with their own parameters and weights.
Impact
Users of this malicious pool could be rug-pulled and their tokens and funds could be compromised, as the malicious pool could operate with unauthorized parameters and weights.
Tools Used
Manual Review
Recommendations
To mitigate the bug, you can implement the following changes:
Add a check in the constructor to ensure the contract is deployed through the
QuantAMMWeightedPoolFactory:
2.Add a check in the starting of initialize function to ensure the initializer is the QuantAMMWeightedPoolFactory contract :
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.