QuantAMM

Summary

The calculateBlockNormalisedWeight function performs weight calculations without validating that the resulting weights stay within the acceptable bounds for an AMM pool:

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/QuantAMMWeightedPool.sol#L527

This unbounded calculation creates a critical vulnerability where pool weights can exceed 100% or fall below 0%. In AMM pools, weights directly determine asset pricing and swap calculations. Invalid weights break core invariants of the AMM design:

A weight exceeding 100% could make an asset artificially expensive, while a negative weight would completely break the pricing model. The exploitation potential stems from how these invalid states interact with the AMM's core pricing mechanics. When weights exceed valid bounds, the spot price calculations produce invalid results, creating arbitrage opportunities.

An attacker could exploit these mispriced assets through carefully sequenced trades, first taking advantage of the artificially inflated or deflated prices to accumulate assets at a discount. These manipulated trades would then permanently distort the pool's balance ratios since the underlying price calculations are no longer operating within valid mathematical bounds. By chaining such trades together, an attacker could progressively drain value from the pool by repeatedly exploiting the price discrepancies, with each trade further destabilizing the pool's state. The compounding nature of this exploitation means that even a single instance of an invalid weight could lead to cascading failures in the pool's pricing model.

The impact is particularly severe because the function is called during every swap operation via _getNormalizedWeight, making this a frequently accessible attack vector.

Recommended Mitigation Steps

Add weight boundary validation: