QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Unvalidated Empty Oracle Array in MultiHopOracle Constructor

sabit

Summary

The MultiHopOracle contract's constructor lacks validation for empty oracle arrays, allowing deployment of an unusable contract state. This oversight creates a permanent vulnerability where the core _getData() function will consistently revert due to array access on an empty array.

Vulnerability Details

Here's the vulnerable constructor code:

constructor(HopConfig[] memory _oracles) {

for (uint i = 0; i < _oracles.length; i++) {

oracles.push(_oracles[i]);

}

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/MultiHopOracle.sol#L19C3-L23C6

When this constructor is called with an empty array, it completes successfully. However, the first line of _getData() will always revert:

function _getData() internal view override returns (int216 data, uint40 timestamp) {

HopConfig memory firstOracle = oracles[0]; // Reverts if oracles array is empty

// ... rest of the function

}

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/MultiHopOracle.sol#L29

The constructor accepts any array length without validation, including zero-length arrays. This violates the core assumption of the _getData() function, which requires at least one oracle to operate.

Impact

The contract can be deployed in an permanently unusable state. Because the constructor only runs once upon deployment, this condition cannot be fixed post-deployment.

Tools Used

Manual review

Recommendations

Here's the corrected constructor with proper validation:

constructor(HopConfig[] memory _oracles) {

require(_oracles.length > 0, "MultiHopOracle: empty oracle array");

for (uint i = 0; i < _oracles.length; i++) {

require(address(_oracles[i].oracle) != address(0), "MultiHopOracle: invalid oracle");

oracles.push(_oracles[i]);

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!