QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Hardcoded "version" String Breaks Version Tracking Capability

12121212

Description

The contract incorrectly uses a hardcoded string "version" instead of the stored _poolVersion state variable when creating new pools. This breaks the version control system's ability to track different deployed contract versions.

Impact

  • All deployed pools will have "version" as their version instead of the actual version number

  • Makes tracking and managing different versions of deployed contracts impossible

  • Breaks core versioning functionality that was explicitly designed into the system

  • Violates the IPoolVersion interface implementation expectations

Proof of Concept
The contract:

  1. Implements IPoolVersion interface

  2. Has proper version storage in _poolVersion state variable

  3. Constructor takes and stores poolVersion parameter

  4. Has getPoolVersion() function that returns _poolVersion

But in pool creation:

// In create() and createWithoutArgs()
version: "version", // Hardcoded string instead of _poolVersion

Recommended Mitigation
Replace the hardcoded "version" string with the stored version:

// In create() and createWithoutArgs()
/**
function create(NewPoolParams memory params) external returns (address pool, bytes memory poolArgs) {
if (params.roleAccounts.poolCreator != address(0)) {
revert StandardPoolWithCreator();
}
LiquidityManagement memory liquidityManagement = getDefaultLiquidityManagement();
liquidityManagement.enableDonation = params.enableDonation;
// disableUnbalancedLiquidity must be set to true if a hook has the flag enableHookAdjustedAmounts = true.
liquidityManagement.disableUnbalancedLiquidity = params.disableUnbalancedLiquidity;
poolArgs = abi.encode(
QuantAMMWeightedPool.NewPoolParams({
name: params.name,
symbol: params.symbol,
numTokens: params.normalizedWeights.length,
- version: "version",
+ version: _poolVersion,
updateWeightRunner: _updateWeightRunner,
poolRegistry: params.poolRegistry,
poolDetails: params.poolDetails
}),
getVault()
);
// rest of code
function createWithoutArgs(NewPoolParams memory params) external returns (address pool) {
if (params.roleAccounts.poolCreator != address(0)) {
revert StandardPoolWithCreator();
}
LiquidityManagement memory liquidityManagement = getDefaultLiquidityManagement();
liquidityManagement.enableDonation = params.enableDonation;
// disableUnbalancedLiquidity must be set to true if a hook has the flag enableHookAdjustedAmounts = true.
liquidityManagement.disableUnbalancedLiquidity = params.disableUnbalancedLiquidity;
pool = _create(abi.encode(
QuantAMMWeightedPool.NewPoolParams({
name: params.name,
symbol: params.symbol,
numTokens: params.normalizedWeights.length,
- version: "version",
+ version: _poolVersion,
updateWeightRunner: _updateWeightRunner,
poolRegistry: params.poolRegistry,
poolDetails: params.poolDetails
}),
getVault()
), params.salt);
// rest of code

This ensures proper version tracking of deployed pools and maintains the integrity of the versioning system as designed.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_hardcoded_version

Version is immutable as specified in Version.sol and can be what the developer wants. It is hardcoded and will be changed by the admin for every deployment. No real impact here.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!