QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of input validation in `InitialisePoolLastRunTime` function lead to setting an invalid or outdated timestamp

safdie

Summary

The InitialisePoolLastRunTime function lacks input validation for the _time parameter. This can lead to setting an invalid or outdated timestamp, potentially disrupting the pool's intended operation.

Vulnerability Details

The InitialisePoolLastRunTime function allows authorized users to set the last run time of a pool. However, it does not validate the _time parameter, which can lead to setting an invalid or outdated timestamp. This can disrupt the pool's intended operation and potentially cause financial losses.

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol#L313-L327

function InitialisePoolLastRunTime(address _poolAddress, uint40 _time) external {
uint256 poolRegistryEntry = approvedPoolActions[_poolAddress];
//current breakglass settings allow pool creator trigger. This is subject to review
if (poolRegistryEntry & MASK_POOL_OWNER_UPDATES > 0) {
require(msg.sender == poolRuleSettings[_poolAddress].poolManager, "ONLYMANAGER");
} else if (poolRegistryEntry & MASK_POOL_QUANTAMM_ADMIN_UPDATES > 0) {
require(msg.sender == quantammAdmin, "ONLYADMIN");
} else {
revert("No permission to set last run time");
}
poolRuleSettings[_poolAddress].timingSettings.lastPoolUpdateRun = _time;
emit PoolLastRunSet(_poolAddress, _time);
}

PoC:

Using the following values:

  • _poolAddress: Address of the pool

  • _time: 500,000 (an outdated timestamp)

Any authorized user can call the InitialisePoolLastRunTime function with an outdated timestamp to set the last run time of the pool.

Impact

The lack of input validation allows authorized users to set an invalid or outdated timestamp for the last run time of a pool. This can disrupt the pool's intended operation and potentially cause financial losses.

Tools Used

Manual review.

Recommendations

Add validation to ensure the _time parameter is within a reasonable range. For example, ensure that the _time parameter is not in the past and is not too far in the future.

function InitialisePoolLastRunTime(address _poolAddress, uint40 _time) external {
uint256 poolRegistryEntry = approvedPoolActions[_poolAddress];
//current breakglass settings allow pool creator trigger. This is subject to review
if (poolRegistryEntry & MASK_POOL_OWNER_UPDATES > 0) {
require(msg.sender == poolRuleSettings[_poolAddress].poolManager, "ONLYMANAGER");
} else if (poolRegistryEntry & MASK_POOL_QUANTAMM_ADMIN_UPDATES > 0) {
require(msg.sender == quantammAdmin, "ONLYADMIN");
} else {
revert("No permission to set last run time");
}
// Add input validation
require(_time >= block.timestamp, "Time cannot be in the past");
require(_time <= block.timestamp + 365 days, "Time too far in the future");
poolRuleSettings[_poolAddress].timingSettings.lastPoolUpdateRun = _time;
emit PoolLastRunSet(_poolAddress, _time);
}
Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.