QuantAMM

Summary:

The calculateBlockNormalisedWeight function can cause an underflow when the weight variable is smaller than the product of a negative multiplier and timeSinceLastUpdate. This underflow occurs during the subtraction operation and leads to a revert, potentially disrupting the contract's functionality.

Root Cause:

In the calculateBlockNormalisedWeight function, when the multiplier is negative, the function computes:

If the result of FixedPoint.mulUp(uint256(-multiplierScaled18), timeSinceLastUpdate) exceeds weight, the subtraction underflows, causing the transaction to revert due to an arithmetic error. Since Solidity 0.8.x has built-in overflow and underflow checking, this scenario will halt execution.

Vulnerable Code:

Attack Path:

1. Conditions Alignment:

   • weight is a small positive integer.

   • multiplier is a negative value with a significant magnitude.

   • timeSinceLastUpdate is large (e.g., due to a delayed update).

2. Execution: When calculateBlockNormalisedWeight is called under these conditions, the multiplication results in a value larger than weight.

3. Underflow Occurs: The subtraction underflows, causing the function to revert.

4. Impact: Legitimate operations fail due to the arithmetic revert, potentially halting essential contract functions and affecting users.

Proof of Concept (PoC):

Assuming:

• weight = 1

• multiplier = -1e18 (i.e., -1 in 18 decimal fixed-point representation)

• timeSinceLastUpdate = 2

Calculations:

• multiplierScaled18 = -1e18 * 1e18 = -1e36

• -multiplierScaled18 = 1e36

Compute:

Recommendation:

Add a check to ensure that the subtraction does not underflow by verifying that weight is greater than or equal to the subtraction amount before performing the operation. Alternatively, use SafeMath library functions or Solidity's checked arithmetic to handle potential underflows gracefully.

Modified Code: