QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Valid

incorrect length check in `_setIntermediateCovariance` will DOS manual setting of `intermediateCovarianceStates` after pool initialization

honour

Summary

The UpdateWeightRunner provides a function (setIntermediateValuesManually) that allows the QuantAMM admin to manually set the intermediate variables of a rule, asides from setting the initial intermediate variables on pool initialization , it can also be used as a break-glass feature to set/reset the intermediate variables of a rule if necessary.
The issue is that the length check in the function QuantAMMCovarianceBasedRule::_setIntermediateCovariance function is incorrect and will prevent usage of this feature

Vulnerability Details

In QuantAMMCovarianceBasedRule::_setIntermediateCovariance

function _setIntermediateCovariance(
address _poolAddress,
int256[][] memory _initialValues,
uint _numberOfAssets
) internal {
uint storeLength = intermediateCovarianceStates[_poolAddress].length;
@> if ((storeLength == 0 && _initialValues.length == _numberOfAssets) || _initialValues.length == storeLength) {
for (uint i; i < _numberOfAssets; ) {
require(_initialValues[i].length == _numberOfAssets, "Bad init covar row");
unchecked {
++i;
}
}
if (storeLength == 0) {
if ((_numberOfAssets * _numberOfAssets) % 2 == 0) {
intermediateCovarianceStates[_poolAddress] = new int256[]() / 2);
} else {
intermediateCovarianceStates[_poolAddress] = new int256[](
(((_numberOfAssets * _numberOfAssets) - 1) / 2) + 1
);
}
}
//should be initiiduring create pool
_quantAMMPack128Matrix(_initialValues, intermediateCovarianceStates[_poolAddress]);
} else {
revert("Invalid set covariance");
}
}

The issue here is _initialValues is an n by n 2d array , where n is the number of assets, while intermediateCovarianceStates is a single array of length n*n/2. This means that the function will always revert when storeLength is not 0(i.e. when pool is already initialized).

Impact

Medium - QuantAMM Admin will be unable to manually set intermediate variables of Covariance based pools in scenarios where its is necessary to do so

Tools Used

Manual Review

Recommendations

function _setIntermediateCovariance(
address _poolAddress,
int256[][] memory _initialValues,
uint _numberOfAssets
) internal {
uint storeLength = intermediateCovarianceStates[_poolAddress].length;
@> if ((storeLength == 0 && _initialValues.length == _numberOfAssets) || storeLength * 2 >= _initialValues.length * _initialValues.length) {
for (uint i; i < _numberOfAssets; ) {
require(_initialValues[i].length == _numberOfAssets, "Bad init covar row");
unchecked {
++i;
}
}
if (storeLength == 0) {
if ((_numberOfAssets * _numberOfAssets) % 2 == 0) {
intermediateCovarianceStates[_poolAddress] = new int256[]() / 2);
} else {
intermediateCovarianceStates[_poolAddress] = new int256[](
(((_numberOfAssets * _numberOfAssets) - 1) / 2) + 1
);
}
}
//should be initiiduring create pool
_quantAMMPack128Matrix(_initialValues, intermediateCovarianceStates[_poolAddress]);
} else {
revert("Invalid set covariance");
}
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding__setIntermediateCovariance_unusable_length_stored_new_values_are_different

Likelihood: Low, _setIntermediateCovariance is used nowhere and is internal. Impact: Low/Medium, First initialization will work but this function won’t be able to mitigate any future problem.

Appeal created

honour Submitter
10 months ago
n0kto Lead Judge
10 months ago
n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding__setIntermediateCovariance_unusable_length_stored_new_values_are_different

Likelihood: Low, _setIntermediateCovariance is used nowhere and is internal. Impact: Low/Medium, First initialization will work but this function won’t be able to mitigate any future problem.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!