Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Statistics.stddev() will revert because of a design error in variance() function

elser17

Summary

Statistics.stddev() always reverts because of a design error in variance() function

Vulnerability Details

stddev() function (used in BuyerAgent.finalizeValidation()) returns the standard deviation value for a set of numbers took as parameters. Standard deviation is calculated as the square root of variance, which is another function of Statistics library.

However, variance() function will always revert as it calculates a negative uint256 if any of the input numbers is lower than mean (what will happen always except if all the input numbers are the same value, which is an unrealistic case for this situation).

This is the code line that causes the issue:

uint256 diff = data[i] - mean;

Impact

Requests that require validations will never be completed as BuyerAgent.finalizeValidation() reverts whenever is called as explained above. As a consequence, generators and validators that took part in the corresponding taskId will not receive the generatorFee and validatorFee respectively, and the task will never get the Completed status.

Tools Used

Manual review, Remix

Recommendations

Modify the variance() function so that no negative uint256 numbers are computed:

function variance(uint256[] memory data) internal pure returns (uint256 ans, uint256 mean) {
mean = avg(data);
uint256 sum = 0;
for (uint256 i = 0; i < data.length; i++) {
- uint256 diff = data[i] - mean;
+ uint256 diff = data[i] > mean ? data[i] - mean : mean - data[i];
sum += diff * diff;
}
ans = sum / data.length;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Underflow in computing variance

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.