Inconsistent Storage Array Indexing in QuantAMMGradientBasedRule Contract
Summary
The _calculateQuantAMMGradient function in QuantAMMGradientBasedRule.sol is inconsistent in its array indexing between its scalar and per-constituent lambda cases when storing packed gradient values
Vulnerability Details
In the _calculateQuantAMMGradient function, there are two main code paths:
The Scalar lambda case when _poolParameters.lambda.length == 1:
and the per-constituent lambda case:
The scalar case correctly uses locals.storageArrayIndex which increments by 1 but the per-constituent case incorrectly uses i which increments by 2. Both cases increment locals.storageArrayIndex in their unchecked blocks, but only one case uses it
Impact
Using i as the storage index results in non-continuous storage slots (0, 2, 4, etc.) and it also wastes storage slots and increases gas costs.
Tools Used
Manual code review
Recommendations
Lead Judging Commences
finding_gradient_rules_more_than_3_assets_and_1_lambda_will_DoS_the_update
Likelihood: Medium/High, assets>4, lambdas > 1. Impact: Medium/High, DoS update but pool works fine. Pool with 5 assets will use incorrect weights.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.