QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing _newMovingAverages array length validation in setIntermediateValuesManually()

elolpuer

Summary

UpdateWeightRunner.sol:setIntermediateValuesManually() function lacks of validation int256[] memory _newMovingAverages array.

Vulnerability Details

In UpdateWeightRunner.sol:setIntermediateValuesManually() function poolManager or quantammAdmin can pass parameters with mismatched lengths for _newMovingAverages and _numberOfAssets without any validation:

/// @param _poolAddress the target pool
/// @param _newMovingAverages manual new moving averages
/// @param _newParameters manual new parameters
/// @param _numberOfAssets number of assets in the pool
function setIntermediateValuesManually(
address _poolAddress,
int256[] memory _newMovingAverages,
int256[] memory _newParameters,
uint _numberOfAssets
) external {
uint256 poolRegistryEntry = approvedPoolActions[_poolAddress];
//Who can trigger these very powerful breakglass features is under review
if (poolRegistryEntry & MASK_POOL_OWNER_UPDATES > 0) {
require(msg.sender == poolRuleSettings[_poolAddress].poolManager, "ONLYMANAGER");
} else if (poolRegistryEntry & MASK_POOL_QUANTAMM_ADMIN_UPDATES > 0) {
require(msg.sender == quantammAdmin, "ONLYADMIN");
} else {
revert("No permission to set intermediate values");
}
IUpdateRule rule = rules[_poolAddress];
// utilises the base function so that manual updates go through the standard process
rule.initialisePoolRuleIntermediateValues(_poolAddress, _newMovingAverages, _newParameters, _numberOfAssets);
emit SetIntermediateValuesManually(
msg.sender,
_poolAddress,
_newMovingAverages,
_newParameters,
_numberOfAssets
);
}

Impact

Pool state might be updated incorrectly

Tools Used

Manual Review

Recommendations

Add this lines before rule.initialisePoolRuleIntermediateValues(_poolAddress, _newMovingAverages, _newParameters, _numberOfAssets);:

uint256 assetsLength = IQuantAMMWeightedPool(_poolAddress).getQuantAMMWeightedPoolImmutableData().tokens.length;
require(assetsLength == _newMovingAverages.length && assetsLength == _numberOfAssets, "wrong moving averages length");
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!