QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect implementation of `QuantammVarianceBasedRule.sol#_calculateQuantAMMVariance`.

zraxx

Summary

In the contract QuantammVarianceBasedRule.sol, the implementation of _calculateQuantAMMVariance is wrong because it does not properly handle the case where the lambda is a vector.

Vulnerability Details

https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/rules/base/QuantammVarianceBasedRule.sol#L129-L189

In the function _calculateQuantAMMVariance, when lambda is a scale, it will decrement locals.nMinusOne by one. Later, when locals.notDivisibleByTwo is tue, it will increase locals.nMinusOne by one. However, when lambda is a vector, it doesn’t decrement the locals.nMinusOne but still increase the locals.nMinusOne, which will cause the index locals.nMinusOne out of range:

if (locals.notDivisibleByTwo) {
unchecked {
++locals.nMinusOne;
locals.convertedLambda = int256(_poolParameters.lambda[locals.nMinusOne]);
locals.oneMinusLambda = ONE - locals.convertedLambda;
}

Impact

Dos of function _calculateQuantAMMVariance.

Tools Used

VScode

Recommendations

Decrement the locals.nMinusOne when lambda is a vectore correctly.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_calculateQuantAMMVariance_revert_when_vector_lambda_and_odd_asset_number

Likelihood: Medium/High, odd asset number + lambda is a vector. Impact: Medium/High, DoS the update.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!