Incorrect array length validation in matrix packing function
Summary
The _quantAMMPack128Matrix function in VectorRuleQuantAMMStorage contract fails to enforce the correct array length for storing packed matrix elements. For a 3x3 matrix example, the target array must be exactly 5 elements as specified in the comments, but the code allows for different lengths.
Vulnerability Details
Here's the current implementation:
The comment clearly states:
For a 3x3 matrix with 9 elements:
Each storage slot holds 2 elements (except the last one)
8 elements require 4 full slots
The 9th element requires 1 half-filled slot
Total required slots = 5
However, the validation only checks if the target array is large enough (>=) rather than enforcing an exact size match for optimal storage usage.
Similar issue is in _quantAMMUnpack128Matrix function:
Impact
The current implementation allows arrays larger than necessary and it is inconsistent with the documented design.
Tools Used
Manual review
Recommendations
Implement the exact length validation.
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.