QuantAMM

Summary

A vulnerability exists in the onSwap function of the QuantAMMWeightedPool contract where the maxTradeSizeRatio check for EXACT_IN swaps does not account for the potential size of tokens being swapped out of the pool. This oversight can lead to significant outflows of a token when its value sharply rises relative to another token in the pair, potentially violating the intended trade size limits and destabilizing the pool.

Vulnerability Details

• Function: onSwap

• Location: QuantAMMWeightedPool contract

• The current implementation of onSwap for EXACT_IN swaps only checks if the amount of tokens entering the pool (amountGivenScaled18) exceeds the maxTradeSizeRatio of the balance for the input token. However, it does not check if the amount of tokens leaving the pool (amountOutScaled18) also adheres to this ratio.

• Scenario: If the value of token A rises sharply relative to token B, an EXACT_IN swap where A is swapped for B could result in a disproportionately large amount of B leaving the pool due to this unchecked condition. This scenario can occur when there's a sudden price spike or if external factors like oracle manipulation or market manipulation cause one token's value to balloon compared to another.

Impact

This vulnerability could allow for the manipulation of pool balances, where an attacker could drain a token from the pool by leveraging a price spike, potentially leading to:

Imbalance in the pool's token ratios, affecting liquidity and the pool's overall health

Tools Used

Manual Review

Recommendations

Implement Output Token Check in EXACT_IN Swaps:

• Add a check after calculating amountOutScaled18 to ensure it does not exceed the maxTradeSizeRatio of the balance for the token being swapped out: