QuantAMM

Summary

Vulnerability Details

• the contract differentiates between scalar (lambda.length == 1) and vector calculations (lambda.length > 1):

  • Scalar Calculation (lambda.length == 1): Works as expected by using one lambda value for all operations.

  • Vector Calculation (lambda.length > 1): Expected to work with a lambda array that matches the number of assets (n).

  However, the contract lacks any validation that lambda.length matches the expected length (n). This results in the following potential issues:

  1. Out-of-Bounds Access:

     • If lambda.length exceeds n, during the iteration, the code accesses memory at indices that are not valid (lambda[i] for i >= n), leading to an out-of-bounds error.

  2. Incomplete Calculation:

     • If lambda.length is smaller than n, the calculation will incorrectly compute the covariance matrix because some assets will lack corresponding lambda values.

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/rules/base/QuantammCovarianceBasedRule.sol#L47C4-L128C1

Reproduction Steps:

1. Deploy the contract and initialize it with a pool that has n assets.

2. Pass an array lambda[] with a size greater or smaller than n.

3. Call the _calculateQuantAMMCovariance function with new data.

4. Observe that the function either:

   • Accesses an out-of-bounds index when lambda.length > n.

   • Results in incorrect computations when lambda.length < n.

Impact

• Out-of-bounds errors can result in memory corruption, which can disrupt contract logic and cause unexpected outcomes.

• Incomplete covariance calculations will impact critical contract states like pricing or decision-making, potentially causing substantial losses in assets or disrupting intended functionality.

Tools Used

manual

Recommendations

Add a validation check to ensure that lambda.length is equal to n before proceeding with the covariance calculations.