QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing updateInterval zero check can make pool unusable

goran

Summary

The UpdateWeightRunner contract lacks validation that updateInterval is non-zero during pool initialization. This leads to a division by zero in weight calculations, causing the entire weight update process to revert. Issue is irreversible.

Vulnerability Details

Deployer can mistakenly provide 0 value for updateInterval when creating new pool. Since updateInterval is not validated to be non-zero, deployment and initialization will be successful:

function setRuleForPool(

IQuantAMMWeightedPool.PoolSettings memory _poolSettings

) external {

require(_poolSettings.oracles.length > 0, 'Empty oracles array');

// ... other validations ...

poolRuleSettings[msg.sender] = PoolRuleSettings({

lambda: _poolSettings.lambda,

epsilonMax: _poolSettings.epsilonMax,

absoluteWeightGuardRail: _poolSettings.absoluteWeightGuardRail,

ruleParameters: _poolSettings.ruleParameters,

// @audit updateInterval is stored, can be 0

timingSettings: PoolTimingSettings({

updateInterval: _poolSettings.updateInterval,

lastPoolUpdateRun: 0

}),

poolManager: _poolSettings.poolManager

});

}

Later, this value is used as denominator in the process of calculating the multiplier when new weights are set:

function _calculateMultiplerAndSetWeights(

CalculateMuliplierAndSetWeightsLocal memory local

) internal {

// ...

// @audit division by zero

int256 blockMultiplier = (local.updatedWeights[i] - local.currentWeights[i]) /

local.updateInterval;

}

This will result by failure due to division by 0. Issue is permanent because there is no mechanism to update value of updateInterval. So pool is unusable because core feature of weight updates cannot be performed.

Impact

Pool becomes permanently unusable if deployed with zero updateInterval
All weight update attempts will revert
No way to fix after deployment as updateInterval can't be updated

I consider this to be medium severity.

Tools Used

Manual code review

Recommendations

Add updateInterval validation during pool setup:

require(_poolSettings.updateInterval > 0, 'Invalid update interval');

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!