Submission Details
Severity:
Missing Maximum Score Validation
Vulnerability Details
The validate() function in LLMOracleCoordinator.sol claims in its documentation that it "Reverts if any score is greater than the maximum score". However, this validation is not actually implemented in the code:
/// @notice Validate requests for a given taskId.
/// @dev Reverts if the task is not pending validation.
/// @dev Reverts if the number of scores is not equal to the number of generations.
-> /// @dev Reverts if any score is greater than the maximum score.
/// @param taskId The ID of the task to validate.
/// @param nonce The proof-of-work nonce.
/// @param scores The validation scores for each generation.
/// @param metadata Optional metadata for this validation.
function validate(uint256 taskId, uint256 nonce, uint256[] calldata scores, bytes calldata metadata)
public
onlyRegistered(LLMOracleKind.Validator)
onlyAtStatus(taskId, TaskStatus.PendingValidation)
{
...
Impact
Especially when numGenerations <= 2, malicious Oracles can submit arbitrarily large scores, skewing the statistical calculations in
finalizeValidation()This could affect the selection of the "best" response and the distribution of rewards
The contract behavior doesn't match its documentation
Recommendations
Add validation for maximum score values.
Updates
Lead Judging Commences
inallhonesty 11 months ago
Submission Judgement Published Assigned finding tags:
Unbounded score values in `validate` function
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420 USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.