QuantAMM

Summary

The setWeightsManually function allows manual adjustment of weights for assets in a pool. However, when _numberOfAssets is smaller than the length of the _weights array, the function partially validates weights, leaving unvalidated elements in the _weights array. This creates potential risks, as unvalidated elements can bypass intended constraints.

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol#L579

Vulnerability Details

Issue: Partial Validation of _weights Array

The validation loop in the setWeightsManually function checks weights only for indices less than _numberOfAssets:

If _numberOfAssets is smaller than _weights.length, weights at indices greater than or equal to _numberOfAssets are not validated. These unchecked weights could potentially contain invalid or malicious values.

Impact

The vulnerability can lead to Bypassing Validation, as unvalidated elements in the _weights array could have negative values or exceed the 1e18 limit, which might disrupt pool calculations or lead to undefined behavior.

Tools Used

• Manual code review

Recommendations

1. Validate Entire _weights Array:
   Ensure that all elements in the _weights array are validated, irrespective of the _numberOfAssets. Modify the validation loop as follows:

   require(_weights.length == _numberOfAssets, "Weights array length must match number of assets");

   ​

   for (uint i; i < _weights.length; i++) {

   require(_weights[i] > 0, "Negative weight not allowed");

   require(_weights[i] < 1e18, "Weight greater than 1 not allowed");

   }

By implementing these recommendation, the vulnerability can be mitigated, ensuring proper validation and secure operation of the setWeightsManually function.