QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Validation for setting ethOracle in `setETHUSDOracle` Function. Causes GAS Wastage and meaningless event emissions.

theirrationalone

Summary

In the UpdateWeightRunner contract, the setETHUSDOracle function allows the admin to set the ETH-USD Oracle. However, the function lacks a critical validation to check whether the oracle has already been set or not. This oversight can lead to the emission of meaningless events, unnecessary gas consumption, and bad coding practices that could harm the protocol's efficiency.

Vulnerability Details

Code Analysis

Current Implementation of setETHUSDOracle

function setETHUSDOracle(address _ethUsdOracle) public {
require(msg.sender == quantammAdmin, "ONLYADMIN");
@> // @info: missing check if _ethUsdOracle is already set as ethOracle
// if that is the case, it will cause a gas waste and meaningless event emission
ethOracle = OracleWrapper(_ethUsdOracle);
emit ETHUSDOracleSet(_ethUsdOracle);
}

Observations

  1. Missing Validation for oracle:
    The function does not verify whether the ETH-USD oracle has already been set or not. This results in unnecessary state updates and event emissions.

  2. Gas Inefficiency:
    Without the validation, the function performs redundant operations that waste gas, especially when the function call is unnecessary.

  3. Meaningless Event Emissions:
    If the pool actions have already been set, the emitted event ETHUSDOracleSet does not hold any meaningful value. This pollutes blockchain logs and adds to storage bloat.

Impact

  1. Increased Gas Costs:
    The admin pays unnecessary gas fees for redundant calls due to the missing validation.

  2. Blockchain Log Pollution:
    Emitting meaningless events unnecessarily populates the blockchain with inefficient logs, making it harder to query and manage event data.

  3. Inefficient Code Design:
    The missing validation reflects poor coding practices, reducing the overall maintainability and reliability of the protocol.

  4. Negative User Experience:
    Admins may unintentionally execute redundant calls without realizing their impact, leading to frustration and inefficiencies.

Tools Used

Manual Review

Recommendations

Proposed Fix

The setETHUSDOracle function should include a validation to check if the ETH-USD oracle is already set. This ensures that only meaningful state changes occur, reducing gas waste and maintaining the integrity of the blockchain logs.

Updated setETHUSDOracle Function

function setETHUSDOracle(address _ethUsdOracle) public {
require(msg.sender == quantammAdmin, "ONLYADMIN");
+ require(address(ethOracle) != _ethUsdOracle, "ETH USD Oracle not changed");
ethOracle = OracleWrapper(_ethUsdOracle);
emit ETHUSDOracleSet(_ethUsdOracle);
}

Benefits of the Fix

  1. Gas Optimization:
    Prevents unnecessary gas consumption by ensuring state changes and events are only executed when required.

  2. Accurate Event Emissions:
    Ensures that the ETHUSDOracleSet event is emitted only for valid calls, maintaining the meaningfulness of the blockchain logs.

  3. Improved Code Quality:
    Adheres to Solidity best practices, making the code more maintainable and robust.

  4. Better User Experience:
    Admins can avoid unintentional redundant calls, improving efficiency and reducing frustration.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!