QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: medium
Valid

`setUpdateWeightRunnerAddress` could break the protocol

ChainDefenders

Summary

The current implementation of UpdateWeightRunner introduces a critical vulnerability in the protocol. If the quantammAdmin modifies the UpdateWeightRunner, it could lead to unexpected behavior where the protocol breaks. Specifically:

  1. A new UpdateWeightRunner might have a different quantammAdmin, which would not align with the existing Pool.

  2. The rule required by the new UpdateWeightRunner is not set because the rule is defined during the Pool initialization phase.

This issue creates inconsistencies in the protocol, potentially leading to a denial of service (DoS) for affected pools.

Vulnerability Details

The vulnerability arises when the UpdateWeightRunner is changed, causing critical issues:

  1. Admin Ownership Mismatch: The new UpdateWeightRunner may have a different quantAdmin, leading to conflicting authority and governance inconsistencies.

  2. Missing Rules: The pool’s rules, set during initialization, are not carried over to the new UpdateWeightRunner. This prevents updates, effectively causing a denial-of-service (DoS) for the pool.

Proof of Concept (POC)

Add the following test to QuantAMMWeightedPool2TokenTest to simulate the issue:

Initialization of the New UpdateWeightRunner:

updateWeightRunner1 = new MockUpdateWeightRunner(owner, addr2, false); // Add this to the constructor

POC Test Case:

MockUpdateWeightRunner updateWeightRunner1;
function testQuantAMMWeightedPoolGetNormalizedWeightsInitial_andThenChangeUpdateWeightRunner() public {
QuantAMMWeightedPoolFactory.NewPoolParams memory params = _createPoolParams();
params._initialWeights[0] = 0.6e18;
params._initialWeights[1] = 0.4e18;
(address quantAMMWeightedPool, ) = quantAMMWeightedPoolFactory.create(params);
uint256[] memory weights = QuantAMMWeightedPool(quantAMMWeightedPool).getNormalizedWeights();
int256;
newWeights[0] = 0.6e18;
newWeights[1] = 0.4e18;
newWeights[2] = 0e18;
newWeights[3] = 0e18;
uint64;
lambdas[0] = 0.2e18;
int256;
parameters0] = 0.2e18;
address[][] memory oracles oracles[0][0]acle);
MockMomentumRule momentumRule = new MockMomentumRule(owner);
// Change UpdateWeightRunner
vm.prank(owner);
QuantAMMWeightedPool(quantAMMWeightedPool).setUpdateWeightRunnerAddress(address(updateWeightRunner1));
QuantAMMWeightedPool(quantAMMWeightedPool).initialize(
newWeights,
IQuantAMMWeightedPool.PoolSettings(
new IERC20 ,
IUpdateRule(momentumRule), oracles,
60,
lambdas,
0.2e18,
0.2e18,
0.2e18,
parameters,
address(0)
),
newWeights,
newWeights,
10
);
// Perform an update with the new runner
vm.prank(owner);
updateWeightRunner1.setApprovedActionsForPool(quantAMMWeightedPool, 1);
updateWeightRunner1.performUpdate(quantAMMWeightedPool);
}

Impact

Changing the UpdateWeightRunner leads to the following issues:

  1. Denial of Service (DoS):
    The new UpdateWeightRunner does not inherit the rule for the existing pool, rendering it non-functional.

  2. Unauthorized Updates:
    The quantAdmin of the initial UpdateWeightRunner can update the pool with the new UpdateWeightRunner, creating further inconsistencies.

These flaws disrupt the protocol and can lead to operational outages or malicious misuse.

Tools Used

Manual review

Recommendations

To address this vulnerability, update the setUpdateWeightRunnerAddress function to synchronize quantammAdmin and ensure the rule is correctly set during the update. Modify the function as follows:

Updated Code

function setUpdateWeightRunnerAddress(address _updateWeightRunner) external override {
require(msg.sender == quantammAdmin, "ONLYADMIN");
updateWeightRunner = UpdateWeightRunner(_updateWeightRunner);
+ quantammAdmin = updateWeightRunner.quantammAdmin();
+ _setRule(); // Call set rule with the correct parameters
emit UpdateWeightRunnerAddressUpdated(address(updateWeightRunner), _updateWeightRunner);
}
Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_setUpdateWeightRunnerAddress_will_DoS_rules

Likelihood: Low, when setting a new UpdateWeightRunner (for hotfixes) Impact: High, DoS performUpdate and force redeployment

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.