Incorrect packing of `intermediateGradientState` array in QuantAMMGradientBasedRule for vector lambda(λ)
Summary
Packing of storage array intermediateGradientState in QuantAMMGradientBasedRule::_calculateQuantAMMGradient is incorrect for vector lambda(λ) parameter calculation. The Packing uses the loop variable i to index the array instead of the dedicated storageArrayIndex variable, this eventually DoSes the function due to out of bounds array access as the length of the intermediateGradientState array is half the number of tokens
Vulnerability Details
In QuantAMMGradientBasedRule::_calculateQuantAMMGradient the packing of the array intermediateGradientState uses the loop variable i in packing the array as shown here
As we can see from line 156 , the issue is that the length of the intermediateGradientState array is < than the number of tokens, this means that asides from incorrect packing as is incremented by 2 on every iteration,i will be incremented until it exceeds the length of the array, DoSing the function as the array access is out of bounds
Impact
High - incorrect Packing of storage array would lead to permanent DoS
Tools Used
Manual Review
Recommendations
replace i with locals.storageArrayIndex
Lead Judging Commences
finding_gradient_rules_more_than_3_assets_and_1_lambda_will_DoS_the_update
Likelihood: Medium/High, assets>4, lambdas > 1. Impact: Medium/High, DoS update but pool works fine. Pool with 5 assets will use incorrect weights.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.