Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Wrong abi decoding on BuyerAgent::purchase()

Valin Security Group

Description

A wrong ABI decoding operation is made within the BuyerAgent::purchase() function, it expects an array of arguments to decode, whereas the output is a single array.

Impact

  • Buyer are not able to execute purchases.

  • Sellers lose their assets since there are not withdraw function.

Proof of concept

In BuyerAgent::purchase() there is a step where the BuyerAgent requests the best response from the LLMOracleCoordinator

// read oracle result using the latest task id for this round
bytes memory output = oracleResult(taskId);

However, in LLMOracleCoordinator::getBestResponse() , the result of the TaskResponse.output is a byte element encoding one object, which when decoding it in BuyerAgent::purchase() reverts, since it expects an array

address[] memory assets = abi.decode(output, (address[]));

A Gist has been created to demonstrate the failing normal BuyingAgent and the comparison with the fixed version using FixedBuyerAgent

Recommendation

In order to fix the issue, modify this line of code :

address[] memory assets = abi.decode(output, (address[]));

by replacing it with :

assets[0] = abi.decode(output, (address));

This change correctly decodes output as single address instead of an array, ensuring the function process the data accurately without errors.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.