Pool becomes useless when `setUpdateWeightRunnerAddress()` is called.
Summary
In the QuantAMMWeightedPool contract, there is an admin function called setUpdateWeightRunnerAddress(), if this function is ever used, it will render the pool useless due to many cascading effects, but here is the most servere.
Vulnerability Details
On the QuantAMMWeightedPool after the updateWeightRunner is changed, the Pool contract has no way to call updateWeightRunner.setRuleForPool() which is used to set the price oracles for the pool on the new updateWeightRunner contract. This is because setRule is only called during initialization of the pool.
The lack of Price availabilty restricts multiple functions of the pool.
Another issue is that the updateWeightRunner address is hardcoded on the UpliftOnlyExample contract as an immutable state variable. This will also lead to issues when getting price, or the updated fees when they are changed on the new contract.
Impact
This harms the LPs as well as all price related activities
Tools Used
Manual Review
Recommended Mitigation
Add the function to update the oracles on the new updateWeightRunner by adding a public setRule function in the pool contract, Make the updateWeightRunner variable public on the pool contract as well, and always fetch it in realtime whenever it is to be used in other contracts.
Lead Judging Commences
finding_setUpdateWeightRunnerAddress_will_DoS_rules
Likelihood: Low, when setting a new UpdateWeightRunner (for hotfixes) Impact: High, DoS performUpdate and force redeployment
Appeal created
finding_setUpdateWeightRunnerAddress_will_DoS_rules
Likelihood: Low, when setting a new UpdateWeightRunner (for hotfixes) Impact: High, DoS performUpdate and force redeployment
finding_immutable_updateWeightRunner_in_uplift_lead_to_old_data
Likelihood: Low, when `updateWeightRunner` needs a hotfix. Impact: High, need to redeploy the pool.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.