Summary

getQuantAMMWeightedPoolDynamicData() function inside the QuantAmmWeightedPool.sol fails to correctly increase the index of secondFourWeights during iteration. This is due to underflow when attemptimg to fill the data.weightsAtLastUpdateInterval and data.weightBlockMultipliers for token index greater than or equal to 4.

Vulnerability Details

The getQuantAMMWeightedPoolDynamicData() function is a view function that returns the dynamic data of a QuantAMMweighted Pool. Among the data which it returns are the weight parameters of the pool which includes the firstFourWeights block and the secondFourWeights blocks. These weights blocks contains a maximum of four token weights each with their multipliers. The function correctly iterate the firstFourWeights block in the dynamic data storage being returned but fails to do likewise for the secondFourWeights blocks. During its attempts to iterate through the secondFourWeights block, it incorrectly increment the index for secondFourWeights which causes an underflow and failed operation.

Below is the affected code in the getQuantAMMWeightedPoolDynamicData() function.

https://github.com/Cyfrin/2024-12-quantamm/blob/main/pkg/pool-quantamm/contracts/QuantAMMWeightedPool.sol#L584-L604

In the else part of the condtional statement we can see that the function attempts to subtracts 4 from the increasing i values, the i values starts from zero which means that for the first four iterations there is going to be an underflow, which denotes that the index of tokens being iterated from secondFourWeights will underflow into a large index, which doesn't correlate with the maximum token applicable to this pool. Also based on the solidity version being utilized in this pool the operation simply reverts.

Impact

Denial of service

Tools Used

Manual review

Recommendations

Utilize the same method being used to iterate the firstFourWeights block, there is no need of subtracting 4.