QuantAMM
QuantAMM
49,600 OP
Ended
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing updateInterval Check in setWeights Function can lead to spamming to weight updates

efccweb3

Summary

The function setWeights is responsible for updating weights and their associated multipliers in a QuantAMM pool. It takes _weights, _poolAddress, and _lastInterpolationTimePossible as inputs, performs validations, updates the pool's state, and emits an event. However, there is no direct use of an updateInterval variable in this function.

NB: The updateInterval variable in a smart contract typically defines the time gap between successive updates or actions.

In the context of weight updates, updateInterval would likely be used to ensure that the function is called only after a specific time has elapsed since the last update. This would prevent excessive or unintended updates to the pool's weights.

Vulnerability Details

The function allows updates without any time restriction and try calling the setWeights function multiple times within a short time frame.

function setWeights(
int256[] calldata _weights,
address _poolAddress,
uint40 _lastInterpolationTimePossible
) external override {
require(msg.sender == address(updateWeightRunner), "ONLYUPDW");
require(_weights.length == _totalTokens * 2, "WLDL"); //weight length different//

if (_weights.length > 8) {
int256[][] memory splitWeights = _splitWeightAndMultipliers(_weights);
_normalizedFirstFourWeights = quantAMMPack32Array(splitWeights[0])[0];
_normalizedSecondFourWeights = quantAMMPack32Array(splitWeights[1])[0];
} else {
_normalizedFirstFourWeights = quantAMMPack32Array(_weights)[0];
}

//struct allows one SSTORE
poolSettings.quantAMMBaseInterpolationDetails = QuantAMMBaseInterpolationVariables({
lastPossibleInterpolationTime: _lastInterpolationTimePossible,
lastUpdateIntervalTime: uint40(block.timestamp)
});

emit WeightsUpdated(_poolAddress, _weights);
}

As you can see above there is no time interval update checked.

Impact

Inefficient operations due to excessive updates.

Tools Used

Manual Review

Recommendations

require(
block.timestamp >= poolSettings.quantAMMBaseInterpolationDetails.lastUpdateIntervalTime + updateInterval,
"Update interval not reached"
);
Updates

Lead Judging Commences

n0kto Lead Judge 25 days ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

This check is in performUpdate and manual function called by the admin is trusted.

Support

FAQs

Can’t find an answer? Join our Discord or follow us on Twitter.

Cyfrin
Updraft
CodeHawks
Solodit
Resources