Insufficient input validation on weight result value
Summary
The requirement of result being >= 0 does not comply with the restrictions stated on the balancer docs.
Vulnerability Details
require(res >= 0, "Invalid weight");
In numerous instances, there is a require statement to ensure that the result from the _getWeights calculation is >= 0, however, this check is not exhaustive and does not meet the restrictions of a balancer pool.
Here on the balancer docs https://docs.balancer.fi/concepts/explore-available-balancer-pools/weighted-pool/weighted-pool.html#overview, it is stated that:
The minimum token weight is 1%
Instances of this are:
https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/rules/PowerChannelUpdateRule.sol#L149
https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/rules/DifferenceMomentumUpdateRule.sol#L148
https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/rules/MomentumUpdateRule.sol#L128
https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/rules/ChannelFollowingUpdateRule.sol#L249
https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/rules/ChannelFollowingUpdateRule.sol#L249
Impact
Incompatibility with balancer pools if weights are <1%.
Tools Used
Manual review
Recommendations
Change the require statement to ensure the weights comply with the restrictions mentioned in the balancer docs.
Lead Judging Commences
invalid_weights_can_be_negative_or_extreme_values
_clampWeights will check that these weights are positive and in the boundaries before writing them in storage.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.