Dria

Github

• https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleManager.sol#L99

Summary

The LLMOracleManager contract includes a setFees function, which allows the contract owner to adjust critical fee parameters, such as the platformFee, generationFee, and validationFee. However, there are no upper limits on the values that can be set for these fees, which introduces potential risks. Excessively high fee values could inadvertently make tasks prohibitively expensive, prevent users from interacting with the contract, or result in misconfigurations that disrupt core functionality. Introducing upper bounds for fees could mitigate these risks, improving stability, predictability, and security for users of the contract.

Vulnerability Details

The setFees function allows the contract owner to update three fee parameters:

1. platformFee: A fixed fee paid for each task created on the platform.

2. generationFee: A base fee multiplied by the task’s difficulty level to compute the fee for each generation.

3. validationFee: A base fee multiplied by the task’s difficulty level to compute the fee for each validation.

Each of these fees can be set to any value, including very high amounts, as there are currently no checks for maximum limits. While the setFees function is protected by onlyOwner, which restricts its use to the contract owner, the lack of bounds opens up the possibility of the following issues:

• Setting fees too high could make the platform unaffordable or impractical for users, preventing them from initiating tasks. For instance, an unreasonably high platformFee would make each task excessively costly, even before additional generation and validation fees are considered.

• Users may attempt to interact with the platform, only to experience high transaction failures or wasted gas costs due to excessive fees, leading to dissatisfaction and loss of trust in the platform.

• Since the totalFee for a task depends on platformFee, generationFee, and validationFee values (scaled by difficulty), excessive fees can block the core functionality of task creation and execution. If fees become unaffordable, it disrupts the LLM Oracle system's utility, potentially causing downtime until the issue is resolved.

• This lack of affordability can also cause diffculty in the adoption and usability of the contract for its intended purpose, as users may avoid the platform due to unpredictable costs.

Impact

Tasks may become prohibitively expensive for users, reducing the overall utility and attractiveness of the platform. Excessive fees could prevent task creation and validation, DOSing the platform’s core functionalities. The contract's owner could unintentionally or intentionally disrupt platform functionality by setting extremely high fees, which could raise concerns regarding the platform’s stability and trustworthiness.

Tools Used

Manual Review

Recommendations

To mitigate these risks, I recommend setting maximum values for each fee parameter in the setFees function.