QuantAMM

Summary

The UpdateWeightRunner::addOracle function performs two require validations: checking for proper access control (msg.sender == quantammAdmin) and ensuring the Oracle address is valid (oracleAddress != address(0)). While these validations are correct, their order can be optimized to prioritize the access control check, improving the function's clarity and efficiency by preventing unnecessary computations for unauthorized callers.

Vulnerability Details

• Current Implementation Order:

  require(oracleAddress != address(0), "Invalid oracle address");

  require(msg.sender == quantammAdmin, "ONLYADMIN");

In this order, the function validates the oracle address even if the caller is unauthorized.

• Optimized Order:
  By placing the access control validation first, the function exits early for unauthorized users, saving gas and improving readability.

  Updated implementation:

  require(msg.sender == quantammAdmin, "ONLYADMIN");

  require(oracleAddress != address(0), "Invalid oracle address");

Impact

• Unnecessary gas usage.

Tools Used

Manuel review

Recommendations

• Reorder the require Statements:
  Update the function to prioritize the access control validation:

  function addOracle(OracleWrapper _oracle) external {

  require(msg.sender == quantammAdmin, "ONLYADMIN");

  address oracleAddress = address(_oracle);

  require(oracleAddress != address(0), "Invalid oracle address");

  // Logic for adding the oracle goes here

  }

• Adopt Standard Practices for All Functions:
  Ensure access control checks consistently come first in all relevant functions across the protocol to maintain efficiency and readability.

This report highlights the importance of structuring require statements for optimal performance and adherence to best practices in Solidity development. While the issue is not critical, addressing it contributes to a cleaner and more maintainable codebase.