QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Incorrect implementation of mask in `UpdateWeightRunner::setWeightsManually` function

pianist

Summary

here is the scenario

Setting weights are approved action both by admin and pool manager (approvedPoolActions[_poolAddress]=24 (16+8)).
Quant admin wants set weights manually using UpdateWeightRunner::setWeightsManually function.
Function checks the if (poolRegistryEntry & MASK_POOL_OWNER_UPDATES > 0) and its true.
As condition is satisfied, function runs the statement require(msg.sender == poolRuleSettings[_poolAddress].poolManager, "ONLYMANAGER");
function reverts since the caller is the admin not the manager.

As a result admin cant set weights manually when setting weights is approved action for manager.

Vulnerability Details

Copy the test bellow in UpdateWeightRunner.sol . we expect test to pass, but test reverts "ONLYMANAGER".

POC

function testSetWeightManuallyByAdminWhenBothadminAndManagerApproved() public {

int256[] memory weights = new int256[]();

weights[0] = 0.0000000005e18;

weights[1] = 0.0000000005e18;

weights[2] = 0;

weights[3] = 0;

mockPool.setPoolRegistry(24);

vm.startPrank(owner);

updateWeightRunner.setApprovedActionsForPool(address(mockPool), 24); // approved both by admin and manager (16 + 8)

updateWeightRunner.setWeightsManually(weights, address(mockPool), 6, 2);

vm.stopPrank();

}

Impact

Setting weights manually becomes impossible for admin if setting weights is approved to do by pool manager.

Tools Used

Manual review

Recommendations

Simply change it like this:

- if (poolRegistryEntry & MASK_POOL_OWNER_UPDATES > 0) {

- require(msg.sender == poolRuleSettings[_poolAddress].poolManager, "ONLYMANAGER");

- } else if (poolRegistryEntry & MASK_POOL_QUANTAMM_ADMIN_UPDATES > 0) {

- require(msg.sender == quantammAdmin, "ONLYADMIN");

+ if (msg.sender == poolRuleSettings[_poolAddress].poolManager) {

+ require(poolRegistryEntry & MASK_POOL_OWNER_UPDATES > 0, "ONLYMANAGER");

+ } else if (msg.sender == quantammAdmin) {

+ require(poolRegistryEntry & MASK_POOL_QUANTAMM_ADMIN_UPDATES > 0, "ONLYADMIN");

} else {

revert("No permission to set weight values");

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

invalid_manual_functions_cannot_be_called_by_admin_when_pool_owner_can

Design choice confirmed by the sponsor.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.