QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Hardcoded Version String in Pool Factory

sparrow

Description

In QuantAMMWeightedPoolFactory, the pool version string is hardcoded to "version" in both the createWithoutArgs and create functions instead of using the _poolVersion value that was set during contract construction.

Vulnerable Code

// In createWithoutArgs:
pool = _create(abi.encode(
QuantAMMWeightedPool.NewPoolParams({
version: "version", // Hardcoded instead of using _poolVersion
// ...
})
));
// In create:
poolArgs = abi.encode(
QuantAMMWeightedPool.NewPoolParams({
version: "version", // Also hardcoded instead of using _poolVersion
// ...
})
);

Impact

  • All pools will have "version" as their version string regardless of the actual version specified during factory deployment

  • Makes it impossible to properly track different versions of pools in production

  • Defeats the purpose of having a configurable pool version in the constructor

Recommended Fix

Update both functions to use _poolVersion:

// In createWithoutArgs:
pool = _create(abi.encode(
QuantAMMWeightedPool.NewPoolParams({
version: _poolVersion, // Use the stored pool version
// ...
})
));
// In create:
poolArgs = abi.encode(
QuantAMMWeightedPool.NewPoolParams({
version: _poolVersion, // Use the stored pool version
// ...
})
);
Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_hardcoded_version

Version is immutable as specified in Version.sol and can be what the developer wants. It is hardcoded and will be changed by the admin for every deployment. No real impact here.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.