QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Incorrect calculation of `weights` in the `QuantAMMMathGuard::_clampWeights` function, causing the weights to fall outside the permitted range.

saurabh_singh

Summary

The QuantAMMMathGuard::_clampWeights function contains wrong calculation for weights using the proportionalRemainder.

Vulnerability Details

The following are the errors in calculation the weights :-

  1. proportionalRemainder can be greater than 1, which causes the weights to exceed the absoluteMax value again.

proportionalRemainder is calculated from dividing sumRemainerWeightby sumOtherWeights.if [ sumRemainerWeight > sumOtherWeights] which have a high chances will make ( proportionalRemainder> 1 ).

In further calculation the weights are multiplied by proportionalRemainder, if weights are equal to absoluteMax or near that value than they will become more than the absoluteMax.

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/rules/base/QuantammMathGuard.sol#L61

function _clampWeights(
int256[] memory _weights,
int256 _absoluteWeightGuardRail
) internal pure returns (int256[] memory) {
unchecked {
uint weightLength = _weights.length;
if (weightLength == 1) {
return _weights;
}
int256 absoluteMin = _absoluteWeightGuardRail;
int256 absoluteMax = ONE -
(PRBMathSD59x18.fromInt(int256(_weights.length - 1)).mul(_absoluteWeightGuardRail));
int256 sumRemainerWeight = ONE;
int256 sumOtherWeights;
for (uint i; i < weightLength; ++i) {
if (_weights[i] < absoluteMin) {
_weights[i] = absoluteMin;
@>> sumRemainerWeight -= absoluteMin;
} else if (_weights[i] > absoluteMax) {
_weights[i] = absoluteMax;
@>> sumOtherWeights += absoluteMax;
}
}
@>> if (sumOtherWeights != 0) {
@>> int256 proportionalRemainder = sumRemainerWeight.div(sumOtherWeights);
@>> for (uint i; i < weightLength; ++i) {
@>> if (_weights[i] != absoluteMin) {
@>> _weights[i] = _weights[i].mul(proportionalRemainder);
}
}
}
}
return _weights;
}

2 . The same issue can occur with absoluteMin, where weights near the absoluteMin value can fall below it if proportionalRemainder is very small.

This will cause the weights to take values outside the permitted range, either exceeding absoluteMax or falling below absoluteMin.

Impact

The incorrect calculation will cause the weights either exceeding absoluteMax or falling below absoluteMin.

Tools Used

Manual review

Recommendations

The following can be done to mitigate this issue or as needed :-

  1. Add a check for weights after the calculation that they are in permitted range.

  2. multiply the proportionalRemainder only to that wights which is not near absoluteMaxand absoluteMin, or which will not get out of the range after calculation.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

invalid_sum_of_weights_can_exceeds_one_no_guard

According the sponsor and my understanding, sum of weights does not have to be exactly 1 to work fine. So no real impact here. Please provide a PoC showing a realistic impact if you disagree. This PoC cannot contains negative weights because they will be guarded per clampWeights.

Appeal created

n0kto Lead Judge
10 months ago
n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

invalid_sum_of_weights_can_exceeds_one_no_guard

According the sponsor and my understanding, sum of weights does not have to be exactly 1 to work fine. So no real impact here. Please provide a PoC showing a realistic impact if you disagree. This PoC cannot contains negative weights because they will be guarded per clampWeights.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!