Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

LLMOracleCoordinator will revert due to under overflow at function `variance` in lib `Statistics.sol`

tmotfl

Summary

LLMOracleCoordinator will not work due to under overflow when call function variance in Statistics. Because variance is a key function in this project. It will be called when calc scores. So it should be high severity due to dos to contract.

Vulnerability Details

In function variance in Statistics.sol, the avg function is called to calculate the average, then data[i] - mean is used to calculate the difference. However, since data[i] may be less than mean, it causes a revert.

Since this function is used to calculate the variance of score, it is an important feature in the contract.

/// @notice Compute the variance of the data.
/// @param data The data to compute the variance for.
function variance(uint256[] memory data) internal pure returns (uint256 ans, uint256 mean) {
mean = avg(data);
uint256 sum = 0;
for (uint256 i = 0; i < data.length; i++) {
//revert
uint256 diff = data[i] - mean;
sum += diff * diff;
}
ans = sum / data.length;
}

poc

function test(uint256[] memory test_arg) external {
(uint256 ans, uint256 mean) = Statistics.stddev(test_arg);
}
it("should pass", async function () {
const testArg = [1, 1, 1];
await coordinator.test(testArg);
});
it("should revert", async function () {
const testArg = [1, 2, 3];
await coordinator.test(testArg);
});

Impact

This will cause LLMOracleCoordinator.sol not work

Tools Used

mannul review

Recommendations

for (uint256 i = 0; i < data.length; i++) {
uint256 diff = 0;
if(data[i] > mean) {
diff = data[i] - mean;
} else {
diff = mean - data[i];
}
sum += diff * diff;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Underflow in computing variance

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.