Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Unsafe condition implemented in the `LMOracleCoordinator::validate` function, which may affect the integrity of the task completion.

0xrolko

Relevant GitHub Links

Summary

Lack of Explicit Check over the operands used in the condition which updates the completion status.

Vulnerability Details

In the LMOracleCoordinator::validate function, the following line checks if the number of validations received matches the number specified in task.parameters.numValidations:

bool isCompleted = validations[taskId].length == task.parameters.numValidations;

This check implies that task.parameters.numValidations should be a positive integer (at least 1) for the function to operate correctly. If task.parameters.numValidations is 0, and validations[taskId].length is also 0, we will have on this line above:

bool isCompleted = 0 == 0;

The bool variable isComplered will be true, which would lead to the task being marked as completed immediately, even when no validations were required:
which would lead to the task being marked as completed immediately, however in this case the validations array is empty on one side and the number of validations numValidations is null on the other:

function validate(uint256 taskId, uint256 nonce, uint256[] calldata scores, bytes calldata metadata)
public
onlyRegistered(LLMOracleKind.Validator)
onlyAtStatus(taskId, TaskStatus.PendingValidation)
{
/// ... The other code.
// update completion status
/** @audit this condition will always be evaluated as true if the values of the sides of the double equality are 0 */
@> bool isCompleted = validations[taskId].length == task.parameters.numValidations;
if (isCompleted) {
task.status = TaskStatus.Completed;
emit StatusUpdate(taskId, task.protocol, TaskStatus.PendingValidation, TaskStatus.Completed);
// finalize validation scores
finalizeValidation(taskId);
}
}

Impact

Compromising the logic of task validation, which can lead to other undesirable behaviour.And a malicious user can use this to bypass the requirement and exploit it to their advantage.

Tools Used

Manual review.

Recommendations

function validate(uint256 taskId, uint256 nonce, uint256[] calldata scores, bytes calldata metadata)
public
onlyRegistered(LLMOracleKind.Validator)
onlyAtStatus(taskId, TaskStatus.PendingValidation)
{
/// ... The other code.
// update completion status
- bool isCompleted = validations[taskId].length == task.parameters.numValidations;
+ bool isCompleted = validations[taskId].length > 0 ? validations[taskId].length == task.parameters.numValidations : false;
if (isCompleted) {
task.status = TaskStatus.Completed;
emit StatusUpdate(taskId, task.protocol, TaskStatus.PendingValidation, TaskStatus.Completed);
// finalize validation scores
finalizeValidation(taskId);
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.