Re-org attack is possible in QuantAMMWeightedPoolFactory.sol.
Summary
Block re-org can happen in all EVM-compatible chains. most especially in L2s. The createWithoutArgs() function in QuantAMMWeightedPolFactory is susceptible to re-org issues as address is only calculated with pool parameters without msg.sender
Vulnerability Details
The createWithoutArgs() function deploys a weightedPool contract using create, where the address derivation depends only on the pool parameters.
Re-orgs can happen in all EVM chains. In Ethereum, though it is not "super common," it still happens; the last one was about 2 years ago.
https://decrypt.co/101390/ethereum-beacon-chain-blockchain-reorg
The issue increases the chances of happening if the protocol is deployed in L2's/rollups, proof:
https://discord.com/channels/810916927919620096/1095308824354758696/1096693817450692658
more on re-orgs here
The issue would happen when users rely on the address derivation in advance or try to deploy the pool with the same address on different EVM chains.
Impact
It can lead to possible loss of the pool as a malicious actor can quickly frontrun deployment of the said contract, setting himself as pool owner.
Tools Used
Manual Review
Recommendations
Deploy such contracts via create2 with salt that includes msg.sender.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.