The setWeights function in the QuantAMMWeightedPool contract fails to validate that weights sum to FixedPoint.ONE (100%), a critical invariant for weighted pools. While this validation exists in the _setInitialWeights function during pool initialization, its omission in setWeights creates a vulnerability in subsequent weight updates.
The contract fails to enforce the foundational weighted pool requirement that weights must sum to 100% (FixedPoint.ONE) in the setWeights function:
The missing validation introduces a critical vulnerability in the pool's arithmetic model. Without enforcing the total weight constraint:
Weights summing to less than 100% lead to systematic underpricing of pool assets, as each token's relative weight appears smaller than intended. This creates exploitable arbitrage opportunities through buy/sell loops.
Conversely, weights exceeding 100% cause asset overpricing, enabling profitable manipulation through repeated sell/buy cycles.
The persistent nature of weights means incorrect values remain active until manually updated, potentially allowing extended exploitation periods. This directly threatens pool stability and liquidity provider capital.
For example, if weights sum to 95%, an attacker could profit by repeatedly:
Buying tokens at artificially low prices due to deflated weights
Selling them back when market prices normalize
Extracting value from the pool with each cycle
Add explicit validation that weights sum to FixedPoint.ONE in the setWeights function:
According the sponsor and my understanding, sum of weights does not have to be exactly 1 to work fine. So no real impact here. Please provide a PoC showing a realistic impact if you disagree. This PoC cannot contains negative weights because they will be guarded per clampWeights.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.