QuantAMM

Summary

In the UpdateWeightRunner contract, the removeOracle function allows the admin to remove an oracle. However, the function lacks a critical validation to check whether the oracle has already been removed or was never added in the first place. This oversight can lead to the emission of meaningless events, unnecessary gas consumption, and bad coding practices that could harm the protocol's efficiency.

Vulnerability Details

Code Analysis

Current Implementation of removeOracle

Observations

1. Missing Validation for Oracle Status:
   The function does not verify whether the oracle has already been removed or was never added. This results in unnecessary state updates and event emissions.

2. Gas Inefficiency:
   Without the validation, the function performs redundant operations that waste gas, especially when the function call is unnecessary.

3. Meaningless Event Emissions:
   If the oracle has already been removed or was never added, the emitted event OracleRemved does not hold any meaningful value. This pollutes blockchain logs and adds to storage bloat.

4. Violation of CEI Pattern:
   The function modifies the state (approvedOracles) before performing the admin validation, which is against the Checks-Effects-Interactions pattern.

Impact

1. Increased Gas Costs:
   The admin pays unnecessary gas fees for redundant calls due to the missing validation.

2. Blockchain Log Pollution:
   Emitting meaningless events unnecessarily populates the blockchain with inefficient logs, making it harder to query and manage event data.

3. Inefficient Code Design:
   The missing validation reflects poor coding practices, reducing the overall maintainability and reliability of the protocol.

4. Negative User Experience:
   Admins may unintentionally execute redundant calls without realizing their impact, leading to frustration and inefficiencies.

Tools Used

Manual Review

Recommendations

Proposed Fix

The removeOracle function should include a validation to check if the oracle is already removed or has never been added. This ensures that only meaningful state changes occur, reducing gas waste and maintaining the integrity of the blockchain logs.

Updated removeOracle Function

Benefits of the Fix

1. Gas Optimization:
   Prevents unnecessary gas consumption by ensuring state changes and events are only executed when required.

2. Accurate Event Emissions:
   Ensures that the OracleRemved event is emitted only for valid removals, maintaining the meaningfulness of the blockchain logs.

3. Improved Code Quality:
   Adheres to Solidity best practices, making the code more maintainable and robust.

4. Better User Experience:
   Admins can avoid unintentional redundant calls, improving efficiency and reducing frustration.