QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Normalized Sum Validation in setWeights Function Leading to Pool Instability and Potential Exploits

efccweb3

Summary

This report highlights a critical vulnerability in the setWeights function of the QuantAMM contract. The function lacks a check to ensure that the normalized sum of updated weights equals FixedPoint.ONE. This invariant is enforced during initialization in _setInitialWeights but is missing in setWeights, which can lead to operational instability and economic exploits. Additionally, since weights are defined as int256 instead of uint256, this introduces potential edge cases where negative values could bypass logical safeguards.

Vulnerability Details

In the _setInitialWeights function, a check ensures that the normalized sum of weights equals FixedPoint.ONE:

if (uint256(normalizedSum) != FixedPoint.ONE) {

revert NormalizedWeightInvariant();

}

This ensures that the sum of weights maintains the invariant required for proper pool functionality.
In the setWeights function, there is no similar validation to enforce that the sum of weights equals FixedPoint.ONE.

Additionally, weights are defined as int256, which allows negative values. This introduces the risk of:

Invalid weight distributions.
Exploits where negative weights could manipulate calculations.

function _setInitialWeights(int256[] memory _weights) internal {

require(_normalizedFirstFourWeights == 0, "init");

require(_normalizedSecondFourWeights == 0, "init");

InputHelpers.ensureInputLengthMatch(_totalTokens, _weights.length);

int256 normalizedSum;

for (uint i; i < _weights.length; ) {

normalizedSum += _weights[i];

unchecked {

++i;

}

if (uint256(normalizedSum) != FixedPoint.ONE) {

revert NormalizedWeightInvariant();

}

setWeights Function

function setWeights(

int256[] calldata _weights,

address _poolAddress,

uint40 _lastInterpolationTimePossible

) external override {

require(msg.sender == address(updateWeightRunner), "ONLYUPDW");

require(_weights.length == _totalTokens * 2, "WLDL");

// No validation for normalizedSum == FixedPoint.ONE

// Other logic omitted for brevity

}

The setWeights function is called by the updateWeightRunner with weights that do not sum to FixedPoint.ONE.

The lack of validation allows the weights to:

Sum to a value greater than FixedPoint.ONE, disrupting proportional calculations.
Sum to a value less than FixedPoint.ONE, leading to pool imbalances.

Impact

The absence of a normalized sum check and the use of int256 for weights can lead to:

Incorrect weight distributions disrupt the pool's operation.

Tools Used

Manual Review

Recommendations

Include a check to validate that the sum of weights equalsFixedPoint.ONE.

Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid_sum_of_weights_can_exceeds_one_no_guard

According the sponsor and my understanding, sum of weights does not have to be exactly 1 to work fine. So no real impact here. Please provide a PoC showing a realistic impact if you disagree. This PoC cannot contains negative weights because they will be guarded per clampWeights.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.