QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Pool Initialized with Hardcoded "version" Instead of Dynamic `_poolVersion`

bladesec

Title

Pool Initialized with Hardcoded "version" Instead of Dynamic _poolVersion

Summary

In the createWithoutArgs function of the QuantAMMWeightedPoolFactory contract, the pool is created using a static "version" string instead of the _poolVersion variable defined in the constructor, breaking the versioning system for weighted pools.

Vulnerability Details

Here's the implementation of createWithoutArgs function in QuantAMMWeightedPoolFactory contract:

function createWithoutArgs(NewPoolParams memory params) external returns (address pool) {

if (params.roleAccounts.poolCreator != address(0)) {

revert StandardPoolWithCreator();

}

LiquidityManagement memory liquidityManagement = getDefaultLiquidityManagement();

liquidityManagement.enableDonation = params.enableDonation;

// disableUnbalancedLiquidity must be set to true if a hook has the flag enableHookAdjustedAmounts = true.

liquidityManagement.disableUnbalancedLiquidity = params.disableUnbalancedLiquidity;

pool = _create(abi.encode(

QuantAMMWeightedPool.NewPoolParams({

name: params.name,

symbol: params.symbol,

numTokens: params.normalizedWeights.length,

>> version: "version",

updateWeightRunner: _updateWeightRunner,

poolRegistry: params.poolRegistry,

poolDetails: params.poolDetails

}),

getVault()

), params.salt);

...

}

As seen above, static string "version" was used to initalize a new pool.
The static version string undermines version tracking and management, making it difficult for protocol teams to monitor or update pools effectively.

Impact

The static version string prevents accurate version tracking, increasing the risk of outdated pools remaining unpatched and exposing user funds to potential vulnerabilities.

Tools Used

Manual Review

Recommendations

Replace the static "version" string with _poolVersion state variable:

- version: "version",

+ version: _poolVersion,

Updates

Lead Judging Commences

n0kto Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.