QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Immutable Token List in Pool Creation

0xcodex

Summary

The current pool design likely enforces an immutable token list after pool creation. The system specifies tokens during initialization through the params.tokenConfig array, with no apparent functionality for adding tokens post-creation. This design, while simplifying operational complexity, restricts pool flexibility and limits adaptability to future requirements.

Vulnerability Details

Immutability of Token List:
The params.tokenConfig array defines the tokens for the pool at creation. Without a function to modify or add tokens later, the token list is effectively immutable.

Likely Reasons for Immutability:
1. Weight Balancing: Adding tokens requires recalculating and rebalancing the pool's weights, which could disrupt its functioning.
2. Contract Assumptions: Hooks or strategies tied to the pool might assume a fixed token set, risking breakage if tokens are modified.
3. Security Concerns: Adding tokens dynamically may introduce vulnerabilities if token validation is inadequate.
Implications:
This rigidity could limit the protocol's utility, as pools are unable to adapt to changes like adding new tokens or responding to market demands.

Impact

Flexibility: Users are restricted to the initially defined tokens, limiting the protocol's ability to evolve or adapt pools to new assets or market conditions.

Usability: Potential use cases, such as dynamically evolving pools or expanding pools to include new tokens, are not feasible.
Competitive Advantage: Protocols with flexible pool designs may attract more users due to greater adaptability.

Tools Used

Manual Review

Recommendations

Introduce a Token Addition Mechanism:
Consider implementing a controlled mechanism to allow token additions to existing pools while addressing associated risks. This functionality should include:
- Proper validation of new tokens to ensure compliance with pool rules.
- Recalibration of weights to maintain balance.
- Ensuring compatibility with existing contracts and strategies.
  
  Example implementation:

+ function addTokenToPool(address pool, TokenConfig memory newTokenConfig) external {

+ require(_isPoolRegistered(pool), "Pool does not exist");

+ require(poolTokens[pool].length < MAX_TOKENS, "Token limit exceeded");

+ _validateNewToken(newTokenConfig);

+ poolTokens[pool].push(newTokenConfig.token);

Alternative Solutions:
- Create new pools with the desired token configurations.
- Offer guidelines or tools to migrate liquidity to a new pool.

This highlights the importance of balancing security and usability in pool design. While immutability simplifies operations and reduces risks, incorporating a controlled token addition mechanism could enhance the protocol's functionality and appeal.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.