QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Lambda Vector Length Validation in QuantAMMMathMovingAverage

iepathos

Summary

The QuantAMMMathMovingAverage contract fails to validate the length of the lambda array in vector mode calculations, allowing mismatched array lengths that could lead to unexpected behavior or array access errors.

Vulnerability Details

Location: pkg/pool-quantamm/contracts/rules/base/QuantammMathMovingAverage.sol

The _calculateQuantAMMMovingAverage function accepts a lambda array that can be either length 1 (scalar mode) or match the number of assets (vector mode). However, it fails to validate the array length in vector mode, allowing arrays of incorrect length to be processed.

function _calculateQuantAMMMovingAverage(
int256[] memory _prevMovingAverage,
int256[] memory _newData,
int128[] memory _lambda,
uint _numberOfAssets
) internal pure returns (int256[] memory) {
// Missing validation for _lambda.length == _numberOfAssets in vector mode
if (_lambda.length == 1) {
// scalar mode processing
} else {
// vector mode processing without length validation
}
}

Proof of Concept

function testVectorLambdaMismatch() public {
int256[] memory prevMovingAvg = new int256[]();
prevMovingAvg[0] = 100e18;
prevMovingAvg[1] = 200e18;
int256[] memory newData = new int256[]();
newData[0] = 110e18;
newData[1] = 220e18;
// Create lambda array with wrong length
int128[] memory lambda = new int128[](); // 3 elements for 2 assets
lambda[0] = 0.5e18;
lambda[1] = 0.5e18;
lambda[2] = 0.5e18;
// Should revert but doesn't
movingAvg.calculateMovingAverage(
prevMovingAvg,
newData,
lambda,
2
);
}

Impact

Severity: Low

The lack of validation could lead to:

  1. Unexpected behavior when lambda array length doesn't match asset count

  2. Potential array out of bounds errors in certain scenarios

  3. Incorrect moving average calculations if vector mode is used improperly

The severity is Low because:

  • Function is internal with controlled access paths

  • No direct economic impact identified

  • Likely to cause reversion in most error cases

  • Main risk is from incorrect implementation of calling code

Recommendations

  1. Add explicit length validation:

function _calculateQuantAMMMovingAverage(
int256[] memory _prevMovingAverage,
int256[] memory _newData,
int128[] memory _lambda,
uint _numberOfAssets
) internal pure returns (int256[] memory) {
require(
_lambda.length == 1 || _lambda.length == _numberOfAssets,
"Invalid lambda length"
);
if (_lambda.length == 1) {
// scalar mode processing
} else {
// vector mode processing
}
}

  1. Consider adding additional safeguards:

    • Input validation for all array lengths

    • Clear documentation of expected array sizes

    • Events for monitoring calculation parameters

    • Explicit mode selection rather than inferring from array length

References

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.