No check enforces an 8-token limit, allowing 9+ tokens to break the pool’s core packing logic
Vulnerability Details
When a user calls the factory’s create or createWithoutArgs function:
The factory encodes parameters into QuantAMMWeightedPool.NewPoolParams, including:
It then calls:
which deploys a new QuantAMMWeightedPool instance.
Inside
QuantAMMWeightedPool’s constructor,_totalTokensis set toparams.numTokenswithout verifyingparams.numTokens <= 8.
Thus, a user can deploy a pool with 9 or more tokens, even though the code is tightly written for a maximum of 8.
Problem is the pool stores weights in two packed int256 slots, each holding 4 weights and 4 multipliers (total capacity = 8 tokens).
The constructor sets _totalTokens = params.numTokens directly, never checking if it exceeds 8:
If the caller sets normalizedWeights.length to 9+, the internal code tries to read or write a “9th token” beyond these two packed slots, triggering array-out-of-bounds errors or corrupted math.
Impact
Deploying a pool with more than 8 tokens can irreparably break the contract’s math, causing reverts or exploit scenarios.
Tools Used
Manual Review
Recommendations
Add a Require Check
In the factory or the pool constructor, require:
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.