QuantAMMWeightedPool Should Verify Relationship Between assets and oracles
Summary
When initializing the pool, there is no validation to ensure that the assets correspond correctly to the oracles. For instance, asset[0] might inadvertently map to oracle[1].
Vulnerability Details
The absence of a validation step during pool initialization allows mismatched mappings between assets and oracles.
Impact
Mismatches between assets and oracles can result in incorrect pool valuations, potentially affecting protocol integrity and user trust. For example, this can lead to inaccurate calculations or unexpected behavior, particularly in functions such as UpliftOnlyExample::getPoolLPTokenValue
Tools Used
Manual Review
Recommendations
Implement a validation mechanism during pool initialization to ensure that each asset corresponds correctly to its intended oracle.
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.