QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

_disableInitializers Call Missing

ChainDefenders

Summary

In QuantAMMWeightedPool the _disableInitializers call is missing from the constructor. If the main contract is left out uninitialized a malicious user can initialize it by which he could take control of it.

Vulnerability Details

In QuantAMMWeightedPool the _disableInitializers call is missing

Impact

Could lead to a malicious user gaining control of the contract.

Tools Used

Manual Review

Recommendations

Add a _disableInitializers call to the constructor:

constructor(
NewPoolParams memory params,
IVault vault
) BalancerPoolToken(vault, params.name, params.symbol) PoolInfo(vault) Version(params.version) {
+ _disableInitializers();
_totalTokens = params.numTokens;
updateWeightRunner = UpdateWeightRunner(params.updateWeightRunner);
quantammAdmin = updateWeightRunner.quantammAdmin();
poolRegistry = params.poolRegistry;
require(params.poolDetails.length <= 50, "Limit exceeds array length");
for(uint i; i < params.poolDetails.length; i++){
require(params.poolDetails[i].length == 4, "detail needs all 4 [category, name, type, detail]");
}
poolDetails = params.poolDetails;
}
Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.