QuantAMM

Summary

The setRuleForPool function in the UpdateWeightRunner contract lacks proper pool authorization controls. While the function is designed to be called only by legitimate pool contracts, there is no validation to ensure the calling pool is actually authorized within the QuantAMM ecosystem:

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol#L235

The vulnerability lies in the ability for any address to call setRuleForPool without proper pool authorization validation. An attacker can deploy a malicious contract implementing the basic pool interface, then use it to register arbitrary rules within the system.

The security implications are severe because rules have extensive control over critical pool parameters. Through rule configuration, an attacker can manipulate oracle integrations including primary and backup oracle settings, define custom weight update parameters like lambda coefficients and guard rail boundaries, set arbitrary update intervals, and inject malicious rule parameters that directly impact trading calculations and weight trajectories.

The existing checks only prevent multiple rule registrations from the same address but fail to validate the legitimacy of the initial rule setter. This bypasses the fundamental assumption in QuantAMM's security model that pool deployment and rules are strictly controlled. When malicious actors can freely register unauthorized pools and associated rules, it opens multiple attack vectors: they can create deceptive pools to confuse users, exploit oracle configurations for front-running, spam the system with fake registrations consuming resources, and potentially manipulate weight updates and trading through carefully crafted malicious rule parameters.

Recommended Mitigation Steps

1. Implement pool authorization tracking:

1. Add authorization check to setRuleForPool: