QuantAMM

Title

Pool creation - no validation on disableUnbalancedLiquidity when enableHookAdjustedAmounts is true

Summary

createWithoutArgs and create functions of QuantAMMWeightedPoolFactory contract, lacks validation to ensure that disableUnbalancedLiquidity is set to true when a pool's hook has enableHookAdjustedAmounts enableds. This oversight allows pools to be created with incompatible configurations, potentially resulting in unexpected or unsafe behavior.

Vulnerability Details

The issue lies in the createWithoutArgs and create functions of the QuantAMMWeightedPoolFactory(https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/QuantAMMWeightedPoolFactory.sol) contract, where the relationship between disableUnbalancedLiquidity and enableHookAdjustedAmounts is not validated.

The factory directly uses the value of params.disableUnbalancedLiquidity without enforcing the correct relationship between the hook's enableHookAdjustedAmounts flag and the disableUnbalancedLiquidity setting.

Impact

Pools can be created with incompatible settings, allowing hooks with enableHookAdjustedAmounts to operate without ensuring disableUnbalancedLiquidity is enabled.
Invalid liquidity operations can proceed, exposing the pool to manipulation and economic exploits.

Tools Used

Manual Review

Recommendations

To address this issue, validation should be added in pool creation functions to enforce the correct relationship between disableUnbalancedLiquidity and enableHookAdjustedAmounts.