QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

All update rule contracts are missing parameters validation. Vulnerability may cause invalid weight calculations and pool instability.

theirrationalone

Summary

All the update rule contracts i.e., AntiMomentumUpdateRule, ChannelFollowingUpdateRule, DifferenceMomentumUpdateRule, MinimumVarianceUpdateRule, MomentumUpdateRule, and PowerChannelUpdateRule has a common internal function called _getWeights which is used to calculate and forward calculated new weights to their callers. Function however, missing a _parameters argument values validation, _parameters is a 2D array of int256 type which contains important values for weights calculations.

Vulnerability Details

*UpdateRule::_getWeights: (we have this function which has almost all or similar definition and declaration (signature)).

function _getWeights(

int256[] calldata _prevWeights,

int256[] memory _data,

int256[][] calldata _parameters,

QuantAMMPoolParameters memory _poolParameters

) internal override returns (int256[] memory newWeightsConverted) {

@> // @info: missing _parameters validation

QuantAMMPowerChannelLocals memory locals;

locals.prevWeightsLength = _prevWeights.length;

...

}

Impact

DoS
Array Length Mismatches
Service Disruption
lack of Invalid or malicious parameters sanitization
Pool Instability
etc

I know you would say it's a Caller input validation but IMO, internal functions should at least contain args sanitization check in order to be double ensured about protocol's functionality stability.

Tools Used

Manual review

Recommendations

If we inspect all the update rule contracts we'll found that there's also an external function named validParameters which returns a boolean after validating parameters and this function is made for exaclty parameters argument sanitization but the issue is, this function is only externally available.

So we can modify validParamters function's visibility and can use it in _getWeights function to validate _parameters arg.

*UpdateRule::validParameters:

- function validParameters(int256[][] calldata parameters) external pure override returns (bool valid) {

+ function validParameters(int256[][] calldata parameters) public pure override returns (bool valid) {

*UpdateRule::_getWeights:

function _getWeights(

int256[] calldata _prevWeights,

int256[] memory _data,

int256[][] calldata _parameters,

QuantAMMPoolParameters memory _poolParameters

) internal override returns (int256[] memory newWeightsConverted) {

+ require(validParameters(_parameters), "Invalid parameters");

QuantAMMPowerChannelLocals memory locals;

locals.prevWeightsLength = _prevWeights.length;

...

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!