Submission Details
Severity:
Data Manipulation in oraclePurchaseRequest Due to Seller-Controlled respond Calls
Summary
The seller can become the Generator of the oraclePurchaseRequest requested by the BuyerAgent.(The seller listed his asset to BuyerAgent.)
Vulnerability Details
Seller-Controlled Oracle Generation in oraclePurchaseRequest.
In contract LLMOracleCoordinator, seller can call function respond.
Impact
Allowing the seller to call the respond function on the oraclePurchaseRequest task introduces a data manipulation risk:
Tools Used
Recommendations
Add a validation check in the oraclePurchaseRequest logic to ensure the caller of the respond function is not the seller of any assets included in the request.
function respond(uint256 taskId, uint256 nonce, bytes calldata output, bytes calldata metadata)
public
onlyRegistered(LLMOracleKind.Generator)
onlyAtStatus(taskId, TaskStatus.PendingGeneration)
{
TaskRequest storage task = requests[taskId];
+ BuyerAgent buyer = BuyerAgent(task.requester);
+ (uint256 round, Phase phase,) = buyer.getRoundPhase();
+ address[] assets = swan.getListedAssets(task.requester, round);
+ for (uint256 i = 0; i < assets.length; i++) {
+ address asset = assets[i];
+ AssetListing assetListing = swan.listings[asset];
+ if(assetListing.seller == msg.sender) {
+ revert InvalidGenerator(taskId, msg.sender);
+ }
+ }
// ensure responder to be unique for this task
for (uint256 i = 0; i < responses[taskId].length; i++) {
if (responses[taskId][i].responder == msg.sender) {
revert AlreadyResponded(taskId, msg.sender);
}
}
...
}
Updates
Lead Judging Commences
inallhonesty 12 months ago
Submission Judgement Published Assigned finding tags:
There is no oracle whitelisting
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420 USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.