Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Missing Maximum Score Validation Despite NatSpec Documentation

skid0016

Description:

Here

The validate function in LLMOracleCoordinator.sol has a NatSpec comment stating it "Reverts if any score is greater than the maximum score". However, the implementation does not include any validation to enforce this constraint. This allows validators to submit arbitrarily high scores which could manipulate the final validation results.

here:

/// @dev Reverts if any score is greater than the maximum score.

function validate(uint256 taskId, uint256 nonce, uint256[] calldata scores, bytes calldata metadata)

public

onlyRegistered(LLMOracleKind.Validator)

onlyAtStatus(taskId, TaskStatus.PendingValidation)

{

// Score range validation is documented but not implemented

// Scores can be arbitrarily high

validations[taskId].push(

TaskValidation({scores: scores, nonce: nonce, metadata: metadata, validator: msg.sender})

);

}

Impact:

Validators can manipulate final scores through arbitrarily high values
Statistical calculations (mean, standard deviation) can be skewed
Contract behavior differs from documented specifications
\

In Details:
\

*Statistical Manipulation:

function finalizeValidation(uint256 taskId) private {

// ... in statistical calculations

(uint256 _stddev, uint256 _mean) = Statistics.stddev(scores);

// Extremely high scores can:

// 1. Skew the mean significantly

// 2. Inflate the standard deviation

// 3. Affect which validators get paid

if ((score >= _mean - _stddev) && (score <= _mean + _stddev)) {

_increaseAllowance(validator, fee);

}

Reward Distribution:

// A malicious validator could:

scores = [1000000, 0, 0] // Extremely high score

// This would:

// 1. Push mean up significantly

// 2. Create large standard deviation

// 3. Potentially exclude legitimate scores

Generator Payment Impact:

// Final generation scoring affected:

if (generationScores[g_i] >= mean - generationDeviationFactor * stddev) {

_increaseAllowance(responses[taskId][g_i].responder, task.generatorFee);

}

Recommended Mitigation:

Add the missing score validation:

contract LLMOracleCoordinator {

uint256 public constant MAX_SCORE = 100; // Define maximum score

function validate(uint256 taskId, uint256 nonce, uint256[] calldata scores, bytes calldata metadata)

public

onlyRegistered(LLMOracleKind.Validator)

onlyAtStatus(taskId, TaskStatus.PendingValidation)

{

TaskRequest storage task = requests[taskId];

// Add missing score validation

for (uint256 i = 0; i < scores.length; i++) {

if (scores[i] > MAX_SCORE) {

revert ScoreExceedsMaximum(scores[i], MAX_SCORE);

}

// ... rest of the function

}

Implement the missing score validation as shown above
Add a constant for maximum allowed score
Consider making the maximum score configurable by governance

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Unbounded score values in `validate` function

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.