Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Lack of Non-Empty `Output` Check in the `LLMOracleCoordinator::respond` function.

0xrolko

Relevant GitHub Links

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleCoordinator.sol#L198

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleCoordinator.sol#L207

Summary

The logic explained in the documentation is not the one implemented.

Vulnerability Details

The natspec of the LLMOracleCoordinator::respond function specifies that the `output` must be non-empty, but there’s no explicit check for this in the function:

/// @notice Respond to an LLM generation.

@> /// @dev Output must be non-empty.

/// ... The other natspecs

function respond(uint256 taskId, uint256 nonce, bytes calldata output, bytes calldata metadata)

public

onlyRegistered(LLMOracleKind.Generator)

onlyAtStatus(taskId, TaskStatus.PendingGeneration)

{

// @audit lack of Non-Empty Output Check

/// ... The function content

}

Impact

- System Integrity Risks: In cases where the function relies on non-empty output for downstream processes, an empty output could lead to incorrect or unexpected behavior, especially if other parts of the system assume valid responses.

- Potential Security Vulnerabilities: Attackers could exploit the lack of an output check by sending empty outputs in bulk, especially if there are incentives tied to the response.

Tools Used

Manual review.

Recommendations

/// @notice Respond to an LLM generation.

/// @dev Output must be non-empty.

/// ... The other natspecs

function respond(uint256 taskId, uint256 nonce, bytes calldata output, bytes calldata metadata)

public

onlyRegistered(LLMOracleKind.Generator)

onlyAtStatus(taskId, TaskStatus.PendingGeneration)

{

+ if (output.length == 0) {

+ revert EmptyOutput();

+ }

/// ... The function content

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incomplete checks in `respond()` of `LLMOracleCoordinator.sol`, `output` is not checked

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.