Dria

Github

• https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleCoordinator.sol#L368

Summary

In the LLMOracleCoordinator contract, the finalizeValidation function includes a calculation involving a subtraction operation within an if statement. This subtraction is vulnerable to an underflow if certain conditions are met, potentially causing the function to revert. The lack of a boundary check for this operation opens up the possibility for a Denial of Service (DoS) scenario, where task validation fails and disrupts task completion, reward distribution, or further processing. This report details the issue and provides a solution to prevent the underflow.

Vulnerability Details

The finalizeValidation function aggregates and evaluates scores submitted for a task generation, using a standard deviation threshold to determine which scores are eligible for rewards. However, in the final if condition, the function subtracts a scaled standard deviation (stddev) from the mean. If this scaled standard deviation exceeds the mean, the subtraction operation will result in a negative value, which underflows in Solidity when using uint256 types. Underflows cause the transaction to revert, resulting in a Denial of Service (DoS) condition within finalizeValidation.

Here is the relevant portion of the finalizeValidation function:

The condition generationScores[g_i] >= mean - generationDeviationFactor * stddev is intended to filter out lower outlier scores by checking if each score is greater than or equal to a threshold value, calculated as mean - generationDeviationFactor * stddev. However, if generationDeviationFactor * stddev is greater than mean, the subtraction will result in a negative value, which causes an underflow in Solidity’s uint256 type, resulting in a revert.

Example

To illustrate the underflow potential, consider the following example values:

Calculate generationDeviationFactor * stddev:

Attempt to Calculate mean - generationDeviationFactor * stddev:

Since Solidity does not support negative values in uint256 types, this operation would underflow, resulting in reverting the whole process.

Impact

When this underflow occurs, finalizeValidation reverts, preventing the function from completing its operations. As a result, the entire validation process for the task halts, blocking task completion and preventing the distribution of rewards to eligible participants. This Denial of Service (DoS) condition can affect the usability and reliability of the platform.

If finalizeValidation reverts, the function cannot identify which scores meet the threshold, meaning that eligible responders are not rewarded for their contributions. This disrupts the intended economic incentives of the platform, potentially discouraging validator and responder participation.

Tools Used

Manual Review

Recommendations

To prevent this underflow, add a boundary check before performing the subtraction. Ensure that generationDeviationFactor * stddev does not exceed mean, setting a lower threshold of zero if it does. This solution preserves the functionality of the if statement while preventing underflow. Also add a limit on generationDeviationFactor to avoid this type of underflow issue.