Improper Matrix Dimension Validation in QuantAMM's Covariance Storage Allows Array Access Violations and Data Corruption
Description
The _setIntermediateCovariance function in QuantAMMCovarianceBasedRule.sol contains a critical flaw in its input validation logic that could allow initialization of covariance matrices with mismatched dimensions. The logical OR condition in the validation check permits bypassing essential size verification when storeLength is non-zero.
The issue arises because the function continues to use _numberOfAssets for internal validations and operations even when the input array's dimensions don't match this value. This mismatch between the validated length and the operational length creates a critical vulnerability.
Impact
This issue fundamentally compromises the protocol's matrix storage integrity and risk management system. The dimensional mismatch between validated and operational matrix sizes creates a critical vulnerability in memory access patterns. When _numberOfAssets exceeds _initialValues.length, the function will attempt out-of-bounds array access, potentially corrupting the stored covariance data. This corruption is particularly severe because the protocol's packing and unpacking functions expect specific matrix dimensions, and any violation of these assumptions leads to misaligned data reads and writes.
The economic ramifications extend far beyond mere technical corruption. The protocol's risk management system, which relies on accurate covariance calculations to guide portfolio weight adjustments, becomes fundamentally compromised when operating on incorrectly dimensioned or corrupted matrix data. This leads to a cascade of invalid risk assessments and potentially harmful weight adjustments. Since this corruption occurs at the storage level, it could become permanent, requiring pool redeployment to rectify. Additionally, the dimensional validation bypass creates an attack vector where malicious actors could intentionally trigger storage corruption through manipulated matrix dimensions, potentially leading to denial of service conditions across affected pools.
Recommended Mitigation Steps
Fix the validation logic to always verify against _numberOfAssets:
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.