Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

increased allowances shouldn't be claimable by the owner of LLMOracleCoordinator

auditism

Summary

When providing services both the Generators and Validators are entiltled to a fee, the owner of the contract has the power to withdrawing all fees, this shouldn't be possible.

Vulnerability Details

When generators respond they are entiltled to a fee. The same logic applies for Validators when they validate.

When the owner wants to withdraw the platform fees, all balance of the contract will be transferred.
https://github.com/Cyfrin/2024-10-swan-dria/blob/c3f6f027ed51dd31f60b224506de2bc847243eb7/contracts/llm/LLMOracleCoordinator.sol#L377-L379

function withdrawPlatformFees() public onlyOwner {
feeToken.transfer(owner(), feeToken.balanceOf(address(this)));
}

This means that if some Generators or Validators haven't withdrawn yet they cannot anymore, until the contract has enough balance and if the owner doesn't withdraw it.

Impact

Validators and Generators may not claim their fees

Tools Used

Recommendations

Allow the owner to withdraw platform fees only and not the entire balance. This could be achieved through acocunting of the platforms generated fees.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`withdrawPlatformFees` withdraws the entire balance

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.