Submission Details
Severity:
Lack of important check in `_setInitialIntermediateValues`
Summary
The DifferenceMomentumUpdateRule._setInitialIntermediateValues function does not check if _numberOfAssets == shortMovingAverages[_poolAddress].length while the QuantAMMGradientBasedRule._setGradient function, which is used by others rules, provides it. This means that the _initialValues can have different lengths from existing.
Vulnerability Details
function _setInitialIntermediateValues(
address _poolAddress,
int256[] memory _initialValues,
uint _numberOfAssets
) internal override {
require(_initialValues.length == _numberOfAssets, "Invalid initial values");
//to avoid incorrect access to base MathMovingAverage, we need to set the moving average here
uint movingAverageLength = shortMovingAverages[_poolAddress].length;
if (movingAverageLength == 0 || _initialValues.length == _numberOfAssets) {//@audit lack of the `_numberOfAssets == shortMovingAverages[_poolAddress].length` check
//should be during create pool
shortMovingAverages[_poolAddress] = _quantAMMPack128Array(_initialValues);
} else {
revert("Invalid set moving avg");
}
}
function _setGradient(address poolAddress, int256[] memory _initialValues, uint _numberOfAssets) internal {
uint storeLength = intermediateGradientStates[poolAddress].length;
>> if ((storeLength == 0 && _initialValues.length == _numberOfAssets) || _initialValues.length == storeLength) {
//should be during create pool
intermediateGradientStates[poolAddress] = _quantAMMPack128Array(_initialValues);
} else {
revert("Invalid set gradient");
}
}
Impact
Unexpected behavior
Tools used
Manual Review
Recommendations
Consider implementing the corresponding check:
function _setInitialIntermediateValues(
address _poolAddress,
int256[] memory _initialValues,
uint _numberOfAssets
) internal override {
require(_initialValues.length == _numberOfAssets, "Invalid initial values");
//to avoid incorrect access to base MathMovingAverage, we need to set the moving average here
uint movingAverageLength = shortMovingAverages[_poolAddress].length;
- if (movingAverageLength == 0 || _initialValues.length == _numberOfAssets) {
+ if (movingAverageLength == 0 || (_initialValues.length == _numberOfAssets && _numberOfAssets == movingAverageLength)) {
//should be during create pool
shortMovingAverages[_poolAddress] = _quantAMMPack128Array(_initialValues);
} else {
revert("Invalid set moving avg");
}
}
Prize pool breakdown
Total prize
49,600 OP
nSLOC
3,00017 OP / LOC
44,640
4,960
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.