Lack of Negative Value Check for Single Kappa Branch May Lead to Negative Weights
Summary
Lack of Negative Value Check for Single Kappa Branch May Lead to Negative Weights
Vulnerability Details
In the _getWeights function of the AntiMomentumUpdateRule contract, missing check for negative weight values in the single kappa branch. While the multiple kappa branch includes a require(res >= 0, "Invalid weight") statement to prevent negative weights, the single kappa branch lacks such a check, may produce negative weights.
Impact
res is the newly computed asset weight, calculated by adding the previous weight _prevWeights[locals.i] to the result of (locals.kappa[0] * (locals.normalizationFactor - locals.newWeights[locals.i])).
If the result of (locals.normalizationFactor - locals.newWeights[locals.i]) is negative, and it is multiplied by a positive locals.kappa[0], the final computed res may become negative.
After being stored in the newWeightsConverted array, res is returned as part of the array, which is used by the pool to update the weights of each asset.
This could lead to incorrect asset ratios in the pool or abnormal price calculations.
Tools Used
Recommendations
Lead Judging Commences
invalid_weights_can_be_negative_or_extreme_values
_clampWeights will check that these weights are positive and in the boundaries before writing them in storage.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.