QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Valid

incorrect length check in `_setIntermediateCovariance` will DOS manual setting of `intermediateCovarianceStates` after pool initialization

honour

Summary

The UpdateWeightRunner provides a function (setIntermediateValuesManually) that allows the QuantAMM admin to manually set the intermediate variables of a rule, asides from setting the initial intermediate variables on pool initialization , it can also be used as a break-glass feature to set/reset the intermediate variables of a rule if necessary.
The issue is that the length check in the function QuantAMMCovarianceBasedRule::_setIntermediateCovariance function is incorrect and will prevent usage of this feature

Vulnerability Details

In QuantAMMCovarianceBasedRule::_setIntermediateCovariance

function _setIntermediateCovariance(
address _poolAddress,
int256[][] memory _initialValues,
uint _numberOfAssets
) internal {
uint storeLength = intermediateCovarianceStates[_poolAddress].length;
@> if ((storeLength == 0 && _initialValues.length == _numberOfAssets) || _initialValues.length == storeLength) {
for (uint i; i < _numberOfAssets; ) {
require(_initialValues[i].length == _numberOfAssets, "Bad init covar row");
unchecked {
++i;
}
}
if (storeLength == 0) {
if ((_numberOfAssets * _numberOfAssets) % 2 == 0) {
intermediateCovarianceStates[_poolAddress] = new int256[]() / 2);
} else {
intermediateCovarianceStates[_poolAddress] = new int256[](
(((_numberOfAssets * _numberOfAssets) - 1) / 2) + 1
);
}
}
//should be initiiduring create pool
_quantAMMPack128Matrix(_initialValues, intermediateCovarianceStates[_poolAddress]);
} else {
revert("Invalid set covariance");
}
}

The issue here is _initialValues is an n by n 2d array , where n is the number of assets, while intermediateCovarianceStates is a single array of length n*n/2. This means that the function will always revert when storeLength is not 0(i.e. when pool is already initialized).

Impact

Medium - QuantAMM Admin will be unable to manually set intermediate variables of Covariance based pools in scenarios where its is necessary to do so

Tools Used

Manual Review

Recommendations

function _setIntermediateCovariance(
address _poolAddress,
int256[][] memory _initialValues,
uint _numberOfAssets
) internal {
uint storeLength = intermediateCovarianceStates[_poolAddress].length;
@> if ((storeLength == 0 && _initialValues.length == _numberOfAssets) || storeLength * 2 >= _initialValues.length * _initialValues.length) {
for (uint i; i < _numberOfAssets; ) {
require(_initialValues[i].length == _numberOfAssets, "Bad init covar row");
unchecked {
++i;
}
}
if (storeLength == 0) {
if ((_numberOfAssets * _numberOfAssets) % 2 == 0) {
intermediateCovarianceStates[_poolAddress] = new int256[]() / 2);
} else {
intermediateCovarianceStates[_poolAddress] = new int256[](
(((_numberOfAssets * _numberOfAssets) - 1) / 2) + 1
);
}
}
//should be initiiduring create pool
_quantAMMPack128Matrix(_initialValues, intermediateCovarianceStates[_poolAddress]);
} else {
revert("Invalid set covariance");
}
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding__setIntermediateCovariance_unusable_length_stored_new_values_are_different

Likelihood: Low, _setIntermediateCovariance is used nowhere and is internal. Impact: Low/Medium, First initialization will work but this function won’t be able to mitigate any future problem.

Appeal created

honour Submitter
10 months ago
n0kto Lead Judge
9 months ago
n0kto Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding__setIntermediateCovariance_unusable_length_stored_new_values_are_different

Likelihood: Low, _setIntermediateCovariance is used nowhere and is internal. Impact: Low/Medium, First initialization will work but this function won’t be able to mitigate any future problem.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.