Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: high
Valid

Preventing underflow in validation score threshold calculation by ensuring safe subtraction

Summary

The finalizeValidation function in the LLMOracleCoordinator contract calculates a threshold for awarding generator fees based on a comparison of mean - generationDeviationFactor * stddev. If mean is smaller than generationDeviationFactor * stddev, this subtraction will cause an underflow, leading to an unintended revert. Implementing a conditional check to ensure safe subtraction prevents this issue.

Vulnerability Details

In the line if (generationScores[g_i] >= mean - generationDeviationFactor * stddev), if mean is less than generationDeviationFactor * stddev, the subtraction operation will cause an underflow, resulting in an automatic transaction revert. Since uint256 cannot represent negative values, performing unchecked subtraction between these variables could lead to reverts even when this was not the intended condition.

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleCoordinator.sol#L368

Impact

  • Unexpected Transaction Reverts: This underflow can lead to transaction reverts, disrupting the reward distribution process in finalizeValidation and preventing completion of the validation phase.

  • Interruptions in Contract Logic: The unintended reverts disrupt the contract’s logic and prevent the smooth processing of LLM generation and validation tasks.

Tools Used

Recommendations

To prevent the underflow, modify the finalizeValidation function to check if mean is greater than or equal to generationDeviationFactor * stddev before performing the subtraction. Here’s the recommended code:

for (uint256 g_i = 0; g_i < task.parameters.numGenerations; g_i++) {
// ignore lower outliers
- if (generationScores[g_i] >= mean - generationDeviationFactor * stddev)
+ if (generationScores[g_i] + generationDeviationFactor * stddev>= mean) {
_increaseAllowance(responses[taskId][g_i].responder, task.generatorFee);
}
}

This fix ensures that the threshold calculation avoids underflow, making the finalizeValidation function resilient to all valid inputs.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Underflow in `LLMOracleCoordinator::validate`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.