QuantAMM

Summary

The create function in the poolFactory contract allows attackers to predict the address of a pool (via CREATE2). An attacker can exploit this by frontrunning and registering the same pool address in the vault. This results in a PoolAlreadyRegistered error during the execution of _registerPool in the user’s transaction, leading to a denial-of-service (DoS) on pool creation

Vulnerability Details

• The address of the pool created by the create function is predictable due to the deterministic nature of the CREATE2 opcode.

• An attacker can monitor the transaction pool and identify create calls.

• Before the create function completes, the attacker can frontrun the transaction and register the predictable pool address in the vault by invoking vault.registerPool(). link

• Note: attacker calls vault.registerPool() and it fallbacks and delegates call to VaultExtension.registerPool()

• Note: attacker does not pass hool parameter to bypass this pool factory check on registerPool :

  if (params.poolHooksContract != address(0)) {

  // If a hook address was passed, make sure that hook trusts the pool factory.

  if (

  IHooks(params.poolHooksContract).onRegister(

  msg.sender,

  pool,

  params.tokenConfig,

  params.liquidityManagement

  ) == false

  ) {

  revert HookRegistrationFailed(params.poolHooksContract, pool, msg.sender);

  }

• This causes the PoolAlreadyRegistered error when _registerPool is invoked (link) in the original transaction, reverting the user’s transaction and preventing pool creation.

Impact

Prevents legitimate users from successfully creating new pools. (DoS)

Tools Used

vscode

Recommendations

user create for contract deployments (Since CREATE does not provide deterministic address calculation, it is not possible to predict the contract’s address ahead of time, even if you know the details of the transaction, like the sender and the bytecode.)

or limit the registerPool access