Submission Details
Severity:
Missing Check for Maximum Score in the `LLMOracleCoordinator::validate` function.
Relevant GitHub Links
Summary
wrong implementation of the logic described in the documentation.
Vulnerability Details
The natspec of the LLMOracleCoordinator::validate function indicates that it should revert if any score is greater than the maximum score, but this check is not present in the implementation:
/// @notice Validate requests for a given taskId.
/// @dev Reverts if the task is not pending validation.
/// @dev Reverts if the number of scores is not equal to the number of generations.
@> /// @dev Reverts if any score is greater than the maximum score.
/// ... The rest of natspec
function validate(uint256 taskId, uint256 nonce, uint256[] calldata scores, bytes calldata metadata)
public
onlyRegistered(LLMOracleKind.Validator)
onlyAtStatus(taskId, TaskStatus.PendingValidation)
{
TaskRequest storage task = requests[taskId];
// ensure there is a score for each generation
if (scores.length != task.parameters.numGenerations) {
revert InvalidValidation(taskId, msg.sender);
}
// @audit missing check for max score
/// ... The rest of code
}
Impact
Without this check, potentially invalid scores can be processed, which could compromise the integrity of the validation process.
Tools Used
Manual analysis.
Recommendations
/// @notice Validate requests for a given taskId.
/// @dev Reverts if the task is not pending validation.
/// @dev Reverts if the number of scores is not equal to the number of generations.
@> /// @dev Reverts if any score is greater than the maximum score.
/// ... The rest of natspec
function validate(uint256 taskId, uint256 nonce, uint256[] calldata scores, bytes calldata metadata)
public
onlyRegistered(LLMOracleKind.Validator)
onlyAtStatus(taskId, TaskStatus.PendingValidation)
{
TaskRequest storage task = requests[taskId];
// ensure there is a score for each generation
if (scores.length != task.parameters.numGenerations) {
revert InvalidValidation(taskId, msg.sender);
}
// @audit ensure that each score is less than or equal to the maximum score
+ for (uint256 i = 0; i < scores.length; i++) {
+ if (scores[i] > MAX_SCORE) { // @audit Assuming MAX_SCORE and InvalidScore are defined
+ revert InvalidScore(taskId, msg.sender, scores[i]);
+ }
+ }
/// ... The rest of code
}
Updates
Lead Judging Commences
inallhonesty 12 months ago
Submission Judgement Published Assigned finding tags:
Unbounded score values in `validate` function
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420
USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.