Insufficient Validation in `onSwap` Function Allows Attackers to Bypass `maxTradeSizeRatio` Check
Title
Insufficient Validation in onSwap Function Allows Attackers to Bypass maxTradeSizeRatio Check
Summary
The onSwap function in the QuantAMMWeightedPool contract contains a logical error that the maxTradeSizeRatio check can be avoided by malicious actors.
Vulnerability Details
In detail, with SwapKind.EXACT_IN swaps, the check only restricts the input token amount, but no validation is performed on the output token amount. Whereas, with SwapKind.EXACT_OUT swaps, the check is applied to the output token amount.
Here's how SwapKind.EXACT_IN swaps were processed in QuantAMMWeightedPool contract:
This discrepency enables malicious actors to avoid the maxTradeSizeRatio check by and drain funds from the pool. It is a clear violation of the maxTradeSizeRatio invariant.
Impact
This vulnerability can lead to:
Token Draining
Attackers can manipulate trades to remove excessive amounts of a specific token from the pool.
Pool Imbalance
Disproportionate token ratios in the pool reduce its efficiency and liquidity.
Financial Risk
The lack of proper validation exposes the pool to potential manipulation, particularly in scenarios involving price spikes or market volatility
Tools Used
Manual Review
Recommendations
To address this issue, additional validation should be introduced for EXACT_IN swaps to ensure the output token amount adheres to the maxTradeSizeRatio.
Lead Judging Commences
finding_onSwap_exact_in_swap_check_input
Likelihood: Medium, any “exact_in” swap only if there is a price pike of one token. Impact: Medium, bypass the maxTradeSizeRatio check.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.