QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Wrong Pool version used for all deployed pools

0xacnologiac

Summary

All pools created with the QuantAMMWeightedPoolFactory contract will have the wrong version.

Vulnerability Details

The factory contract has a set version which is set in the constructor during deployment.

/// @inheritdoc IPoolVersion
function getPoolVersion() external view returns (string memory) {
return _poolVersion;
}

That version is to be used to during deployment of individual pools.
However that was not used in createWithoutArgs() and create():

pool = _create(abi.encode(
QuantAMMWeightedPool.NewPoolParams({
name: params.name,
symbol: params.symbol,
numTokens: params.normalizedWeights.length,
version: "version", //@audit wrong pool version used in the factory
updateWeightRunner: _updateWeightRunner,
poolRegistry: params.poolRegistry,
poolDetails: params.poolDetails
}),
getVault()
), params.salt);

As seen above, during deployment of pools, the factory just uses the hardcoded string "version" as the version name.

Impact

A wrong version is set on the pools, and the factory and pool are now of different versions.

Tools Used

Manual review.

Recommended Mitigation

Just as it was done in the balancer repo, use the actual pool version set in the factory contract instead of the hardcoded value.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_hardcoded_version

Version is immutable as specified in Version.sol and can be what the developer wants. It is hardcoded and will be changed by the admin for every deployment. No real impact here.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!