QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: high

Valid

Using of incorrect array index in `QuantAMMVarianceBasedRule`

pontifex

Summary

The QuantAMMVarianceBasedRule._calculateQuantAMMVariance function does not decrement locals.nMinusOne variable for the _poolParameters.lambda.length > 1 && locals.notDivisibleByTwo case but then increment it by one what can cause an error.

Vulnerability Details

The locals.nMinusOne is decremented only for the _poolParameters.lambda.length == 1 case:

function _calculateQuantAMMVariance(

int256[] memory _newData,

QuantAMMPoolParameters memory _poolParameters

) internal returns (int256[] memory) {

<...>

if (_poolParameters.lambda.length == 1) {

//scalar parameters mean the calculation is simplified and even if it increases function and

//contract size it decrease gas computed given iterative design tests

if (locals.notDivisibleByTwo) {//@audit should be outside of the if-statement. can cause DOS due to out of bounds error

unchecked {

>> --locals.nMinusOne;

}

<...>

if (locals.notDivisibleByTwo) {

unchecked {

>> ++locals.nMinusOne;

}

<...>

}

} else {

//vector parameter calculation is the same but we have to keep track of and access the right vector parameter

for (uint i; i < locals.nMinusOne; ) {

<...>

}

if (locals.notDivisibleByTwo) {

unchecked {

>> ++locals.nMinusOne;

locals.convertedLambda = int256(_poolParameters.lambda[locals.nMinusOne]);

locals.oneMinusLambda = ONE - locals.convertedLambda;

}

<...>

}

return locals.finalState;

}

Impact

DoS of the core functionality

Tools used

Manual Review

Recommendations

Consider decrementing the locals.nMinusOne variable outside of the if (_poolParameters.lambda.length == 1) statement

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_calculateQuantAMMVariance_revert_when_vector_lambda_and_odd_asset_number

Likelihood: Medium/High, odd asset number + lambda is a vector. Impact: Medium/High, DoS the update.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.