The LLMOracleCoordinator's respond
and validate
functions require users to stake DRIA tokens before calling them.
However, due to unrestricted unregister
, users can become generators or validators without any real cost. This enables operating multiple generator/validator accounts simultaneously without maintaining stakes, potentially leading to malicious responses.
Since unregister
can be called at any time, the following attack can be executed within a single block:
Swap USDC for DRIA
Call register
to become a generator or validator
Submit malicious respond or validate calls
Call unregister
and use transferFrom to retrieve DRIA
Swap DRIA back to USDC
Additionally, attackers can transfer DRIA to different accounts to operate multiple accounts using this method.
This vulnerability is particularly concerning because:
The Coordinator has a maximum number of allowed responses/validations
Users can submit malicious responses/validations without maintaining actual stakes
So attacker can earn generator, validator fees without DRIA price risk. And also can manipulate response with multiple accounts.
None
It is recommended to add cooldown periods between registration and unregister.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.