QuantAMM

Summary

Array out of Bound error can happen in QuantammVarianceBasedRule.sol file. In the file we have _calculateQuantAMMVariance() function which calculates the variance. It has two parts, one where the lambda value is the same for all and another where the lambda value is different for each asset. In each section, we again have two parts one is when the number of assets is odd and another is even. Array Out Of Bound error will happen when the lambda value is different of each asset and the number of assets is odd.

Initially locals.n value is set to number of assets and nMinusOne = locals.n - 1. Now when the lambda is different for each asset function goes to second part and runs the for loop suppose no. of assets is 5 then n= 5 and nMinusOne = 4. For loop loops for i=0 and 2 and for loop ends.

After the end of for loop we have check which checks if the number of assets is odd
if (locals.notDivisibleByTwo)
If this condition is true then the value of nMinusOne increases by 1. After adding this now the value of nMinusOne = 4 + 1 = 5. and then try to access the 5th index of arrays but the length of the array is 5 hence maximum index is 4 which is less than 5.

Hence while calculating Variance when the lambda is different for each assets and number of assets is odd then it gives us error and hence we cannot calculate the variance as a result Weights will not be updated.

Vulnerability Details

Impact

1. Weights will not be updated.

Tools Used

Manual Review

Recommendations

1. Update the logic to ensure that nMinusOne does not exceed the valid array indices.

2. If the assets are odd do not add the value of nMinusOne value.