Underflow in `variance` lead to broken functionality of LLMCoordinator and protocol at all
Summary
Consider the Variance and Mean functions in Statistics.sol
You can see that data[i] - mean is taken as uint256 diff in line 15 of the variance function, which will obviously lead to underflow in 99.99% of cases, because not every value of data[i] will be greater than mean. On the contrary, only if all values in the list are the same - data[i] >= mean.
In all other cases this function will lead to underflow.
Vulnerability Details
The variance function is called inside the stddev function, which in turn is called in LLMOracleCoordinator::finaliseValidation. So 99.99% of validations will not be finalised because of revert due to underflow, which means oracle will not be able to generate a final response for 99.99% of the taskId. This means that buyerAgent queries will not be finalised either.
In general, the whole protocol logic breaks down.
Impact
Breakdown of the logic of the entire protocol 99.99% of the time. Severity: High
Tools Used
Manual Review
Recommendations
Add check, is data[i] > or < mean. If > => diff = data[i] - mean, else diff = mean - data[i]
Lead Judging Commences
Underflow in computing variance
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.