Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: medium
Valid

Nonce Pre-mining Vulnerability: Exploiting Insufficient Task-Specific Validation

Summary

The vulnerability identified arises from the inadequate design of the assertValidNonce function, used by both responders and validators. The function fails to incorporate critical information (such as specific responses or scores) when verifying proof-of-work, enabling malicious actors to pre-mine valid nonce values. This flaw poses a significant risk, allowing attackers to validate multiple requests in a single transaction, jeopardizing the integrity of the validation process, and unfairly claiming validation fees.

Vulnerability Details

  • Location: The issue is found in the assertValidNonce function, which validates nonce submissions for both tasks and validations.

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleCoordinator.sol#L313C1-L318C6

function assertValidNonce(uint256 taskId, TaskRequest storage task, uint256 nonce) internal view {
@>> bytes memory message = abi.encodePacked(taskId, task.input, task.requester, msg.sender, nonce);
if (uint256(keccak256(message)) > type(uint256).max >> uint256(task.parameters.difficulty)) {
revert InvalidNonce(taskId, nonce);
}
}
  • Description: The current implementation of assertValidNonce uses the task ID, input, requester, message sender, and nonce to compute and verify a hash. It omits unique task data like responses or scores in its calculations, making it vulnerable to pre-mining.

  • Attack Window: Because the nonce computation lacks specificity to each validation or response, an attacker has the opportunity to pre-compute valid nonce values before responses are submitted. The time between task request creation and the final response provides the attacker with ample opportunity to generate these nonces.

  • Exploitation: A malicious actor can:

    1. Pre-mine nonce values across multiple potential sender addresses during the open-window phase of a task.

    2. Use a single transaction to rapidly register, validate using pre-mined nonces, and withdraw deposits, cycling this process to monopolize validation fees.

POC

This POC demonstrates how a malicious actor can exploit the nonce pre-mining vulnerability in the LLMOracleCoordinator contract to usurp validation fees. By pre-computing valid nonces prior to task responses, an attacker can systematically validate tasks using multiple addresses in a single transaction, thereby claiming unfair validation rewards.

Steps to Exploit

  1. Initial Setup:

    • A task is created and entered into the PendingGeneration status.

  2. Pre-mining Valid Nonces:

    • The attacker calculates potential nonce values for the task using known inputs (taskId, task.input, task.requester) and varying addresses (msg.sender):

      // Pseudocode
      for each possible address in address pool {
      for each candidate nonce {
      message = abi.encodePacked(taskId, task.input, task.requester, address, candidate_nonce);
      hash = uint256(keccak256(message));
      if (hash <= target_value) {
      store valid nonce for address;
      }
      }
      }
    • The process involves iterating over a list of controlled or test addresses, finding at least one valid nonce for each.

  3. Simultaneous Registration and Validation:

    • Upon identification of valid nonces, the attacker bundles the following operations into a single transaction:

      • Register each address as a validator.

      • Use the pre-computed valid nonces to validate the task.

      • Withdraw any deposits to minimize locking funds.

      for each address with valid nonce {
      1. register validator with address;
      2. validate using pre-mined nonce;
      3. withdraw stake if necessary;
      }
  4. Rapid Execution:

    • Using this loop structure executed within a single transaction, the attacker efficiently captures validation fees across multiple addresses without leaving room for genuine validators to participate.

Impact

The primary impact is financial. An attacker can illegitimately claim the majority or entirety of validation fees, depriving honest validators of their rightful earnings.

Tools Used

Foundry

Recommendations

Enhance the nonce validation by including more data specific to the task in the proof-of-work calculation (e.g., incorporating responses or scores). This ensures each nonce is tightly coupled to its corresponding task validation.

// Nonce validation for Responders
function assertValidNonceForResponse(
uint256 taskId,
TaskRequest storage task,
uint256 nonce,
bytes calldata output,
bytes calldata metadata
) internal view {
bytes memory message = abi.encodePacked(taskId, task.input, task.requester, msg.sender, nonce, output, metadata);
if (uint256(keccak256(message)) > type(uint256).max >> uint256(task.parameters.difficulty)) {
revert InvalidNonce(taskId, nonce);
}
}
// Nonce validation for Validators
function assertValidNonceForValidation(
uint256 taskId,
TaskRequest storage task,
uint256 nonce,
uint256[] calldata scores,
bytes calldata metadata
) internal view {
bytes memory message = abi.encodePacked(taskId, task.input, task.requester, msg.sender, nonce, scores, metadata);
if (uint256(keccak256(message)) > type(uint256).max >> uint256(task.parameters.difficulty)) {
revert InvalidNonce(taskId, nonce);
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

There is no oracle whitelisting

Appeal created

galturok Submitter
7 months ago
inallhonesty Lead Judge
7 months ago
inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

There is no oracle whitelisting

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.