QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Row Length Validation in Matrix Packing Leads to Invalid Covariance Calculations

cheatc0d33

Description

A vulnerability exists in the _quantAMMPack128Matrix function of the VectorRuleQuantAMMStorage contract where the absence of proper matrix dimension validation can lead to data corruption or reverts in core covariance calculations. Here's the vulnerable implementation:

https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/QuantAMMStorage.sol#L373

// In VectorRuleQuantAMMStorage contract
function _quantAMMPack128Matrix(int256[][] memory _sourceMatrix, int256[] storage _targetArray) internal {
uint targetArrayLength = _targetArray.length;
require(targetArrayLength * 2 >= _sourceMatrix.length * _sourceMatrix.length, "Matrix doesnt fit storage");
// No validation that matrix is actually square before packing
for (uint i; i < _sourceMatrix.length; ) {
for (uint j; j < _sourceMatrix[i].length; ) { // Vulnerable: assumes row length equals matrix length
// ... packing logic
}
}
}

The contract's storage packing assumes square matrices throughout its logic, as evidenced by these impacted functions:

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/rules/base/QuantammCovarianceBasedRule.sol#L47

// In QuantAMMCovarianceBasedRule contract
function _calculateQuantAMMCovariance(
int256[] memory _newData,
QuantAMMPoolParameters memory _poolParameters
) internal returns (int256[][] memory) {
// Will use corrupted/incorrect data if matrix wasn't square
int256[][] memory intermediateCovarianceState = _quantAMMUnpack128Matrix(
intermediateCovarianceStates[_poolParameters.pool],
locals.n
);
// Critical covariance calculations proceed with bad data
// ...
}

If a non-square matrix is passed (which is possible due to lack of validation), it could result in:

// Example problematic input that would pass current checks
[
[1, 2, 3], // length 3
[4, 5], // length 2 (shorter) - will cause array access error
[6, 7, 8, 9] // length 4 (longer) - will pack wrong data
]

Impact

The absence of square matrix validation creates a critical vulnerability in the QuantAMM's covariance calculations. When a non-square matrix is processed by _quantAMMPack128Matrix(), it either results in array access errors (if rows are too short) or incorrect data packing (if rows are too long). These packed values are then used by _calculateQuantAMMCovariance() for updating pool weights and prices. In the case of array access errors, the transaction reverts, potentially freezing pool operations. More dangerously, if rows are longer than expected, the excess data gets packed, leading to incorrect covariance calculations that directly affect asset pricing and pool balances. Since the matrix dimensions are fundamental assumptions in the AMM's mathematical model, any violation compromises the entire system's reliability.

Recommended Mitigation Steps

Add explicit validation of matrix dimensions:

function *quantAMMPack128Matrix(int256[][] memory *sourceMatrix, int256[] storage _targetArray) internal {
require(_sourceMatrix.length > 0, "Empty matrix");
uint matrixSize = _sourceMatrix.length;
// Validate square matrix dimensions
for (uint i = 0; i < matrixSize; i++) {
require(
_sourceMatrix[i].length == matrixSize,
"Matrix must be square: inconsistent row length"
);
}
// Validate storage capacity
require(
_targetArray.length * 2 >= matrixSize * matrixSize,
"Insufficient target array capacity"
);
// Continue with packing logic
...
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.