QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

PoolManager can arbitrarily reset the lastPoolUpdateRun at any given time.

brazexyz

Summary

The poolMnager can change/reset the lastPoolUpdateRun anytime, which will affect how weights are updated in the pool adversely, as there are no measures in place to restrict the resetting of the lastPoolUpdateRun.

Vulnerability Details

The function InitialisePoolLastRunTime() is used to set a new PoolLastRunTime, and only the adminandpoolManagercan call these functions. The issue here is that although the admin is trusted, the poolManager is unfortunately not, because anyone can create a pool, so even malicious actors can also do the same. Now if a malicious actor happens to get ahold of this role, they can suddenly update the last runtime, which is always queried to determine the interval between updates, which tells when the next update should take place. Since there are no checks in place to validate the reset of thelastPoolUpdateRun` poolManager can directlyinfluence update of the pool weights or stop their update totally, which is against the protocol design for QuantAMMPools.
see code here

function InitialisePoolLastRunTime(address _poolAddress, uint40 _time) external {
uint256 poolRegistryEntry = approvedPoolActions[_poolAddress];
//current breakglass settings allow pool creator trigger. This is subject to review
if (poolRegistryEntry & MASK_POOL_OWNER_UPDATES > 0) {
require(msg.sender == poolRuleSettings[_poolAddress].poolManager, "ONLYMANAGER");
} else if (poolRegistryEntry & MASK_POOL_QUANTAMM_ADMIN_UPDATES > 0) {
require(msg.sender == quantammAdmin, "ONLYADMIN");
} else {
revert("No permission to set last run time");
}
poolRuleSettings[_poolAddress].timingSettings.lastPoolUpdateRun = _time;
emit PoolLastRunSet(_poolAddress, _time);
}

PERMLINK: https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol#L313

Impact

High. Users can lose their rewards due to sudden weight change, which is unaccounted for. Malicious poolMnager can cause users to lose funds during important pool operations or delay weight updates for selfish reasons.

Tools Used

Manual Review.

Recommendations

Although allowing poolManager to set the lastPoolUpdateRun makes the code more flexible, it also introduces risks in the protocol. Here are a few suggested recommendations for mitigating this issue.

  • Validate _time. This ensures that the time set or being set is within acceptable range, such as setting time that is not too in the past or too far in the future.

require(_time >= block.timestamp - MAX_BACKWARD_OFFSET, "INVALID_TIME: TOO OLD");
require(_time <= block.timestamp + MAX_FORWARD_OFFSET, "INVALID_TIME: TOO FAR");

  • Limit rate of setting new lastPoolUpdateRun. This ensures that frequencies of setting/resetting the lastPoolUpdateRun become small. This can be done by enforcing a minimum time interval between updates.

require(block.timestamp >= poolRuleSettings[_poolAddress].timingSettings.lastPoolUpdateRun + MIN_UPDATE_INTERVAL, "UPDATE_TOO_FREQUENT");
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.