Unchecked Bit Shift Counter Underflow Corrupts AMM Pool State Calculations
Summary
The quantAMMUnpack32Array function in ScalarQuantAMMBaseStorage contract contains a dangerous bit shifting vulnerability that undermines the integrity of pool state calculations. At the core of the function's sticky end handling logic lies an unsafe decrementing counter used for unpacking partial data slots.
Each packed 256-bit storage slot holds multiple 32-bit values that need to be extracted sequentially. The function uses an unchecked offset counter that starts at 224 and decrements by 32 with each value extraction. However, the logic fails to account for the fixed size of a storage slot:
The implications for pool operations are severe - after seven iterations (dealing with the maximum values a 256-bit slot can hold), any additional iteration causes the offset to underflow. Since this occurs in an unchecked block, instead of reverting, the offset wraps to a massive number. When this corrupted offset is used for bit shifting, it extracts meaningless data that gets fed into the pool's variance calculations and exponential moving averages, poisoning the mathematical foundation of the AMM's pricing and rebalancing mechanisms.
Recommended mitigation steps
Add bounds checking for the offset:
Alternatively, limit the number of iterations explicitly:
Consider adding array length validation:
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.