Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unused validation deviation factor will result in narrower accepted validation scores intervals

robertodf99

Summary

The score assigned to each oracle response is computed using validation scores comprised between the mean and a certain number of standard deviations. By default, this range is set to 2 standard deviations in LLMOracleManager::validationDeviationFactor. However, this setting is ignored in LLMOracleCoordinator::finalizeValidation, resulting in scores generated using only values within 1 standard deviation, regardless of the validationDeviationFactor setting.

Vulnerability Details

Because scores are calculated using a smaller-than-intended validation range, fewer validation scores contribute to the final assigned response scores. This reduced range may lead to selecting a suboptimal oracle response, as the broader validation score distribution intended by validationDeviationFactor is not fully utilized.

Impact

Tools Used

Manual review.

Recommendations

Incorporate missing factor in LLMOracleCoordinator::finalizeValidation:

...
uint256 innerSum = 0;
uint256 innerCount = 0;
for (uint256 v_i = 0; v_i < task.parameters.numValidations; ++v_i) {
uint256 score = scores[v_i];
- if ((score >= _mean - _stddev) && (score <= _mean + _stddev)) {
+ if (
+ (score >= _mean - validationDeviationFactor * _stddev) &&
+ (score <= _mean + validationDeviationFactor * _stddev)
+ ) {
innerSum += score;
innerCount++;
// send validation fee to the validator
_increaseAllowance(
validations[taskId][v_i].validator,
task.validatorFee
);
}
}
...
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.