QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Left 128-Bit Storage Slot Corruption in Matrix Packing Causes Incorrect AMM Pricing

cheatc0d33

Summary

A vulnerability exists in the VectorRuleQuantAMMStorage contract's _quantAMMPack128Matrix function where the last storage slot handling leads to data corruption. Here is the vulnerable code block from the contract:

https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/QuantAMMStorage.sol#L373

// In VectorRuleQuantAMMStorage contract
if (((_sourceMatrix.length * _sourceMatrix.length) % 2) != 0) {
_targetArray[targetArrayLength - 1] = int256(
int128(_sourceMatrix[_sourceMatrix.length - 1][_sourceMatrix.length - 1])
);
}

The issue occurs because when packing matrices with an odd total number of elements (e.g. a 3x3 matrix which has 9 elements), the function attempts to handle the last element by directly overwriting the entire last storage slot (256 bits) with just the final matrix value cast to int256. This is incorrect because:

  1. The function is meant to pack pairs of 128-bit integers into each 256-bit slot:

// Earlier in the same function - shows correct packing of pairs
targetArray[targetArrayIndex] = (leftInt << 128) | int256(uint256(_sourceMatrix[i][j] << 128) >> 128);

  1. But for the last element in odd-sized matrices, it overwrites both halves:

// What currently happens with last slot
[valid_left_128_bits][empty_right_128_bits] // Initial state
[0000000000000000][last_element] // After incorrect overwrite

This directly corrupts the packed matrix data that the QuantAMM system relies on for its covariance calculations and pool weight updates. The corruption is especially severe because:

// In QuantAMMCovarianceBasedRule contract - uses corrupted data
function _calculateQuantAMMCovariance(
int256[] memory _newData,
QuantAMMPoolParameters memory _poolParameters
) internal returns (int256[][] memory) {
// This unpacks potentially corrupted data
int256[][] memory intermediateCovarianceState = _quantAMMUnpack128Matrix(
intermediateCovarianceStates[_poolParameters.pool],
locals.n
);
// ... uses corrupted data in critical calculations
}

Impact

In the QuantAMM system, the corruption of packed matrix data has severe implications for core functionality. When storing odd-sized matrices, the improper overwriting of the final storage slot's left 128 bits permanently destroys valid covariance matrix elements. This corrupted data then flows directly into _calculateQuantAMMCovariance(), where it's used for weight calculations and price determination. Since covariance matrices are fundamental to the AMM's pricing model, this corruption leads to incorrect asset valuations, improper liquidity provision, and potentially significant monetary losses. The issue is particularly dangerous because it occurs silently - the system continues operating with corrupted values, making detection difficult until financial discrepancies become apparent.

Recommended Mitigation Steps

Modify the storage write operation to preserve the left 128 bits when handling odd-numbered matrices:

if (((_sourceMatrix.length * _sourceMatrix.length) % 2) != 0) {
int256 lastValue = *sourceMatrix[*sourceMatrix.length - 1][_sourceMatrix.length - 1];
int256 currentSlotValue = _targetArray[targetArrayLength - 1];
// Preserve left 128 bits and only modify right 128 bits
_targetArray[targetArrayLength - 1] = (currentSlotValue & (int256(type(uint128).max) << 128)) |
(int256(uint256(lastValue << 128) >> 128));
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.