Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: high
Valid

LLMOracleCoordinator`s validate will revert for valid reqeust due to underflow inside LLMOracleCoordinator contract

Summary

LLMOracleCoordinator`s validate will revert for valid reqeust due to underflow inside LLMOracleCoordinator contract

Vulnerability Details

underflow e.x. array [1,100,1]; mean = 34; stddev = 46.72; generationDeviationFactor = 1; 34 - 46*1 = -12 underflow

for (uint256 g_i = 0; g_i < task.parameters.numGenerations; g_i++) {
// ignore lower outliers
if (generationScores[g_i] >= mean - generationDeviationFactor * stddev) {
_increaseAllowance(responses[taskId][g_i].responder, task.generatorFee);
}
}

LLMOracleCoordinator.sol#L369

The same issue here

for (uint256 v_i = 0; v_i < task.parameters.numValidations; ++v_i) {
uint256 score = scores[v_i];
if ((score >= _mean - _stddev) && (score <= _mean + _stddev)) { // @audit underflow
innerSum += score;
innerCount++;
// send validation fee to the validator
_increaseAllowance(validations[taskId][v_i].validator, task.validatorFee);
}
}

LLMOracleCoordinator.sol#L343

Impact

validate function wil revert when it suppose to pass.

Tools Used

Recommendations

for (uint256 g_i = 0; g_i < task.parameters.numGenerations; g_i++) {
// ignore lower outliers
- if (generationScores[g_i] >= mean - generationDeviationFactor * stddev) {
+ if (generationScores[g_i] + generationDeviationFactor * stddev >= mean ) {
_increaseAllowance(responses[taskId][g_i].responder, task.generatorFee);
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Underflow in `LLMOracleCoordinator::validate`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.