QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing Validation for Weights Calculation in Rules when `locals.kappaStore.length == 1`

HashNode Labs

Vulnerability Details

In the function Rules::_getWeights(), while calculating the newWeightsConverted, we check if resultant weights are greater than or equal to 0 otherwise we revert in case of locals.kappaStore.length != 1

require(locals.res >= 0, "Invalid weight");

But in case of locals.kappaStore.length == 1 the check is not performed.

This allows the function to bypass the validation check, potentially leading to invalid weights being accepted.

@> if (locals.kappaStore.length == 1) {

//scalar logic separate to vector for efficiency

locals.normalizationFactor /= int256(locals.prevWeightLength);

// To avoid intermediate overflows (because of normalization), we only downcast in the end to an uint6

// κ · ( 1/p(t) * ∂p(t)/∂t − ℓp(t))

for (locals.i = 0; locals.i < locals.prevWeightLength; ) {

int256 res = int256(_prevWeights[locals.i]) +

locals.kappaStore[0].mul(locals.newWeights[locals.i] - locals.normalizationFactor);

newWeightsConverted[locals.i] = res;

unchecked {

++locals.i;

}

} else {

//vector logic separate to vector for efficiency

int256 sumKappa;

for (locals.i = 0; locals.i < locals.kappaStore.length; ) {

sumKappa += locals.kappaStore[locals.i];

unchecked {

++locals.i;

}

locals.normalizationFactor = locals.normalizationFactor.div(sumKappa);

// To avoid intermediate overflows (because of normalization), we only downcast in the end to an uint6

for (locals.i = 0; i < _prevWeights.length; ) {

locals.res =

int256(_prevWeights[locals.i]) +

locals.kappaStore[locals.i].mul(locals.newWeights[locals.i] - locals.normalizationFactor);

@> require(locals.res >= 0, "Invalid weight");

newWeightsConverted[locals.i] = locals.res;

unchecked {

++locals.i;

}

return newWeightsConverted;

Impact

The missing validation check for locals.kappaStore.length == 1 can lead to invalid weights being accepted, potentially causing incorrect calculations and unexpected behavior in the system.

Tools Used

Manual review

Recommendations

Add a check to ensure resultant weights are greater than or equal to 0 when locals.kappaStore.length == 1:

require(res >= 0, "Invalid weight");

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

invalid_weights_can_be_negative_or_extreme_values

_clampWeights will check that these weights are positive and in the boundaries before writing them in storage.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.