QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Potential Mismatch Between `setWeightsManually` and `setWeights` Functionality

brene

Summary

The setWeightsManually function allows an admin or pool manager to manually set pool weights. However, this function does not account for block multipliers, while the setWeights function, which it calls, explicitly expects weights and their corresponding block multipliers as input. This mismatch can lead to runtime errors or unintended behavior, particularly when _weights does not match the required format for setWeights.

Vulnerability Details

The setWeightsManually function only processes and validates weight values without considering block multipliers.

function setWeightsManually(
int256[] calldata _weights,
address _poolAddress,
uint40 _lastInterpolationTimePossible,
uint _numberOfAssets
) external {
uint256 poolRegistryEntry = QuantAMMWeightedPool(_poolAddress).poolRegistry();
if (poolRegistryEntry & MASK_POOL_OWNER_UPDATES > 0) {
require(msg.sender == poolRuleSettings[_poolAddress].poolManager, "ONLYMANAGER");
} else if (poolRegistryEntry & MASK_POOL_QUANTAMM_ADMIN_UPDATES > 0) {
require(msg.sender == quantammAdmin, "ONLYADMIN");
} else {
revert("No permission to set weight values");
}
//though we try to keep manual overrides as open as possible for unknown unknows
//given how the math library works weights it is easiest to define weights as 18dp
//even though technically G3M works of the ratio between them so it is not strictly necessary
//CYFRIN L-02
for (uint i; i < _weights.length; i++) {
if (i < _numberOfAssets) {
require(_weights[i] > 0, "Negative weight not allowed");
require(_weights[i] < 1e18, "greater than 1 weight not allowed");
}
}
IQuantAMMWeightedPool(_poolAddress).setWeights(_weights, _poolAddress, _lastInterpolationTimePossible);
emit SetWeightManual(msg.sender, _poolAddress, _weights, _lastInterpolationTimePossible);
}

The setWeights function expects the _weights parameter to include both weights and block multipliers, with the length being twice the number of total tokens.

function setWeights(
int256[] calldata _weights,
address _poolAddress,
uint40 _lastInterpolationTimePossible
) external override {
require(msg.sender == address(updateWeightRunner), "ONLYUPDW");
>> require(_weights.length == _totalTokens * 2, "WLDL"); //weight length different
if (_weights.length > 8) {
int256[][] memory splitWeights = _splitWeightAndMultipliers(_weights);
_normalizedFirstFourWeights = quantAMMPack32Array(splitWeights[0])[0];
_normalizedSecondFourWeights = quantAMMPack32Array(splitWeights[1])[0];
} else {
_normalizedFirstFourWeights = quantAMMPack32Array(_weights)[0];
}
//struct allows one SSTORE
poolSettings.quantAMMBaseInterpolationDetails = QuantAMMBaseInterpolationVariables({
lastPossibleInterpolationTime: _lastInterpolationTimePossible,
lastUpdateIntervalTime: uint40(block.timestamp)
});
emit WeightsUpdated(_poolAddress, _weights);
}

Impact

The _weights.length provided by setWeightsManually does not equal _totalTokens * 2, the require statement in setWeights will revert with the error message "WLDL".
Even if _weights.length == _totalTokens * 2, the block multipliers portion may be uninitialized or invalid, leading to unintended results in weight and multiplier calculations.

Tools Used

Manual Review

Recommendations

Modify setWeightsManually to include both weights and block multipliers in _weights.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_setWeights_manually_cannot_set_negative_modifier

Likelyhood: Low, if admin wants to set negative modifier. Impact: Low/Medium can only set positive modifier.

Appeal created

n0kto Lead Judge
10 months ago
n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!