QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Insufficient Token-Weight Array Length Validation Enables Pool Deployment with Mismatched Parameters

cheatc0d33

Summary

A validation gap exists in the QuantAMMWeightedPoolFactory's pool creation process around token and weight array alignment. This is particularly serious given the complex weight management requirements of QuantAMM pools, where misaligned token and weight arrays could severely impact the pool's automated market making capabilities and potentially lead to system-wide instability.

In the current implementation, the factory forwards initialization parameters directly to the pool without verifying the fundamental relationship between numTokens and the length of the weights array. This creates risk at multiple levels of the Balancer V3 architecture. Most critically, since QuantAMM pools rely on sophisticated weight interpolation over time, any misalignment between token and weight arrays could lead to catastrophic failures in the pool's core pricing and rebalancing mechanisms. Even if caught by later validations, the lack of early checks allows malicious actors to force deployment failures after significant gas expenditure.

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/QuantAMMWeightedPoolFactory.sol#L131

function create(NewPoolParams memory params) external returns (address pool, bytes memory poolArgs) {

// ... other code ...

pool = _create(poolArgs, params.salt);

QuantAMMWeightedPool(pool).initialize(

params._initialWeights,

params._poolSettings,

params._initialMovingAverages,

params._initialIntermediateValues,

params._oracleStalenessThreshold

);

Recommended Mitigation Steps

Add explicit length validation before pool creation:

function validateTokenAndWeightCount(

uint256 numTokens,

int256[] memory weights,

IERC20[] memory tokens

) internal pure {

require(

weights.length == numTokens,

"Weight count must match numTokens"

);

require(

tokens.length == numTokens,

"Token count must match numTokens"

);

require(

numTokens >= MIN_TOKENS && numTokens <= MAX_TOKENS,

"Invalid number of tokens"

);

}

function create(NewPoolParams memory params) external returns (address pool, bytes memory poolArgs) {

validateTokenAndWeightCount(

params.numTokens,

params._initialWeights,

params.tokens

);

// Rest of creation logic...

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Too generic

Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.