QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Severe Precision Issues in `QuantAMMStorage` Due to Cast and Shift Operation

bladesec

Title

Severe Precision Issues in QuantAMMStorage Due to Cast and Shift Operation

Summary

The QuantAMMStorage contract contains severe vulnerabilities in its integer handling mechanisms, including overflow in the _quantAMMPackTwo128 function and precision loss during casting in the _quantAMMPack128Array function. This could lead to data corruption, and potential fund losses in the protocol.

Vulnerability Details

1. Integer Overflow in _quantAMMPackTwo128

Here's the implementation of _quantAMMPackTwo128 function in QuantAMMStorage contract:

function _quantAMMPackTwo128(int256 _leftInt, int256 _rightInt) internal pure returns (int256 packed) {

require((_leftInt <= MAX128) && (_rightInt <= MAX128), "Overflow");

require((_leftInt >= MIN128) && (_rightInt >= MIN128), "Underflow");

>> packed = (_leftInt << 128) | int256(uint256(_rightInt << 128) >> 128);

}

The _quantAMMPackTwo128 function suffers from an integer overflow due to improper handling of left shift operations. The left shift operation (_leftInt << 128) is performed without proper type casting, leading to bit loss during the operation.

2. Precision Loss in _quantAMMPack128Array

Here's the implementation of _quantAMMPack128Array function in QuantAMMStorage contract:

function _quantAMMPack128Array(int256[] memory _sourceArray) internal pure returns (int256[] memory targetArray) {

...

if (_sourceArray.length % 2 == 0) {

...

} else {

int256 lastArrayItem = _sourceArray[_sourceArray.length - 1];

require(

(lastArrayItem >= int256(type(int128).min)) && (lastArrayItem <= int256(type(int128).max)),

"Last array element overflow"

);

unchecked {

targetArrayLength = ((targetArrayLength - 1) / 2) + 1;

}

targetArray = new int256[](targetArrayLength);

uint sourceArrayLengthMinusTwo = sourceArrayLength - 2;

for (uint i; i < sourceArrayLengthMinusTwo; ) {

targetArray[storageIndex] = _quantAMMPackTwo128(_sourceArray[i], _sourceArray[i + 1]);

unchecked {

i += 2;

++storageIndex;

}

>> targetArray[storageIndex] = int256(int128(_sourceArray[sourceArrayLength - 1]));

}

Above function introduces precision loss when handling arrays with odd lengths. The last element is cast from int256 to int128 and back to int256, leading to truncation if the value exceeds the int128 range.

Impact

Data corruption and fund loss in storage.
Incorrect financial calculations and state representation.

Tools Used

Manual Review

Recommendations

Cast to uint256 before performing shift operations in _quantAMMPackTwo128 to prevent overflow and bit loss.
Add range checks in _quantAMMPack128Array to ensure values fit within int128 range and avoid truncation.

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.