Wrong calculation of Variance
Summary
In variance calculation it packs each 2 variance in 1 and if number of assets is odd then last will be appended directly at the end.
Incase of odd number and a vector lambda the check for notDivisbleByTwo is missing leading to wrong values being calculated
logic goes as follow
if length is even ex: 8
| intermediateVarianceStates | [0] | [1] | [2] | [3] |
|---|---|---|---|---|
| indexes packed | 0,1 | 2,3 | 4,5 | 6,7 |
if length is 7
| intermediateVarianceStates | [0] | [1] | [2] | [3] |
|---|---|---|---|---|
| indexes packed | 0,1 | 2,3 | 4,5 | 6 |
With vector lambda subtracting 1 from nMinusOne is missing leading to loop go as follow
| intermediateVarianceStates | [0] | [1] | [2] | [3] | [4] |
|---|---|---|---|---|---|
| indexes packed | 0,1 | 2,3 | 4,5 | 6,7 | 8 |
with values of index 7,8 is zero leading to wrong calculation and mismatching of future variance calculation
- wrong values will be calculated
- admin can't assign the correct values as length won't match his inputted data
wrong values stored as in this example storage length is retrieved from tokens length and %2 !=0 so value will be retrieved in this example index[3] that holds a packed value without unpacking and the wrong value will be used
Impact
broken calculation giving wrong calculation affecting all function depends on it
MinimumVarianceUpdateRule
Tools Used
manual review
Recommendations
apply the correct check incase of odd number incsae of vector lambda
Lead Judging Commences
finding_calculateQuantAMMVariance_revert_when_vector_lambda_and_odd_asset_number
Likelihood: Medium/High, odd asset number + lambda is a vector. Impact: Medium/High, DoS the update.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.