QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Permissionless performUpdate Enables Strategic MEV Through Update Timing Control

cheatc0d33

Summary

The performUpdate() function in the UpdateWeightRunner contract allows any external address to trigger weight updates for pools. While updates themselves are deterministic and have timing constraints, the permissionless nature of who can trigger them creates opportunities for malicious timing manipulation:

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/UpdateWeightRunner.sol#L279

function performUpdate(address _pool) public {
// No access control on who can call
address rule = address(rules[_pool]);
require(rule != address(0), "Pool not registered");
require(
block.timestamp - settings.timingSettings.lastPoolUpdateRun >= settings.timingSettings.updateInterval,
"Update not allowed"
);
}

The vulnerability arises from the permissionless update mechanism creating strategic timing opportunities. The attack vector exists due to the predictable and deterministic nature of the weight updates combined with unrestricted access to trigger them. When monitoring the mempool for pending trades, an attacker can precisely calculate the optimal timing of weight updates to maximize value extraction.

For example, an attacker who spots a large pending trade can simulate the outcome of triggering a weight update pre-trade versus post-trade. By front-running with a strategically timed update transaction at a higher gas price, they can force the trade to execute under whichever price conditions are most profitable for the attacker. The deterministic weight calculation combined with controllable timing creates a pure arbitrage opportunity.

This fundamentally undermines the Chainlink automation infrastructure intended to handle updates. Even though Chainlink provides the base automation layer, any actor can easily circumvent it by racing with higher gas prices to seize control of update timing. This transforms what should be a predictable automated process into a competitive MEV extraction opportunity.

The economic implications cascade through the entire protocol's operations. Beyond the direct value extraction from sandwiched trades, the system suffers from increased gas costs as bots engage in update timing wars. The unpredictable timing erodes price stability since updates occur based on MEV opportunity rather than consistent intervals.

Recommended Mitigation Steps

  1. Implement a keeper registry system:

mapping(address => bool) public authorizedKeepers;
event KeeperSet(address indexed keeper, bool status);
event UpdateAttempted(address indexed caller, address indexed pool, bool success);
function setKeeper(address keeper, bool status) external {
require(msg.sender == quantammAdmin, "ONLYADMIN");
authorizedKeepers[keeper] = status;
emit KeeperSet(keeper, status);
}

  1. Restrict update access to authorized keepers:

function performUpdate(address _pool) public {
require(msg.sender == quantammAdmin || authorizedKeepers[msg.sender], "Unauthorized");
// ... rest of function
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.