QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Uninitialized Storage Variable in AMM State Unpacking Leads to Corrupted Pool Pricing

cheatc0d33

Summary

The quantAMMUnpack32Array function in ScalarQuantAMMBaseStorage contract contains a critical uninitialized variable vulnerability. The stickyEndSourceElem variable is used for handling "sticky end" elements (remaining elements that don't complete a 256-bit slot) but is left uninitialized in crucial execution paths.

The function's initialization logic creates a dangerous gap in memory management. The stickyEndSourceElem variable is only initialized within a nested conditional structure, specifically when the target array length exceeds 8 and is not divisible by eight. However, the variable is subsequently used in the sticky end handling logic regardless of these conditions.

https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/QuantAMMStorage.sol#L135

uint stickyEndSourceElem; // Declared but not initialized
if (_targetArrayLength > 8) {
// ... loop code ...
if (!divisibleByEight) {
unchecked {
stickyEndSourceElem = _sourceArray.length - 1;
}
}
}

This uninitialized state leads to undefined behavior when processing arrays with specific lengths. When the target length is 8 or less, or when it's greater than 8 but divisible by 8, the code proceeds to use this uninitialized variable in critical memory operations:

https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/QuantAMMStorage.sol#L193

if (!divisibleByEight) {
unchecked {
uint offset = 224;
for (uint i = targetIndex; i < targetArray.length; ) {
targetArray[i] = int256(int32(_sourceArray[stickyEndSourceElem] >> offset)) * 1e9;
offset -= 32;
++i;
}
}
}

Impact

This vulnerability poses a severe risk to the protocol's operation. When the uninitialized variable is used, it can corrupt critical state data used for variance and gradient calculations that directly influence pool pricing. This corruption would silently propagate through the system's exponential decay calculations and moving averages, leading to increasingly incorrect pool weights and pricing. Since these calculations compound over time and directly affect user funds, this vulnerability puts significant financial value at risk.

Recommended mitigation steps

  1. Initialize stickyEndSourceElem at declaration:

uint stickyEndSourceElem = _sourceArray.length - 1;

  1. Add validation to ensure proper array access:

require(_sourceArray.length > 0, "Empty source array");
uint stickyEndSourceElem = _sourceArray.length - 1;
if (!divisibleByEight) {
unchecked {
uint offset = 224;
require(targetIndex < targetArray.length, "Invalid target index");
for (uint i = targetIndex; i < targetArray.length; ) {
require(stickyEndSourceElem < _sourceArray.length, "Invalid source index");
targetArray[i] = int256(int32(_sourceArray[stickyEndSourceElem] >> offset)) * 1e9;
offset -= 32;
++i;
}
}
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.