Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Attacker can manipulate Oracle response with temporal staking

jiri123

Summary

The LLMOracleCoordinator's respond and validate functions require users to stake DRIA tokens before calling them.

However, due to unrestricted unregister, users can become generators or validators without any real cost. This enables operating multiple generator/validator accounts simultaneously without maintaining stakes, potentially leading to malicious responses.

Vulnerability Details

function register(LLMOracleKind kind) public {

uint256 amount = getStakeAmount(kind);

// ensure the user is not already registered

if (isRegistered(msg.sender, kind)) {

revert AlreadyRegistered(msg.sender);

}

// ensure the user has enough allowance to stake

if (token.allowance(msg.sender, address(this)) < amount) {

revert InsufficientFunds();

}

token.transferFrom(msg.sender, address(this), amount);

// register the user

registrations[msg.sender][kind] = amount;

emit Registered(msg.sender, kind);

}

/// @notice Remove registration of an Oracle.

/// @dev Reverts if the user is not registered.

/// @param kind The kind of Oracle to unregister.

/// @return amount Amount of stake approved back.

function unregister(LLMOracleKind kind) public returns (uint256 amount) {

amount = registrations[msg.sender][kind]; // @audit anytime user can unregister.

// ensure the user is registered

if (amount == 0) {

revert NotRegistered(msg.sender);

}

// unregister the user

delete registrations[msg.sender][kind];

emit Unregistered(msg.sender, kind);

// approve its stake back

token.approve(msg.sender, token.allowance(address(this), msg.sender) + amount);

}

Since unregister can be called at any time, the following attack can be executed within a single block:

Swap USDC for DRIA
Call register to become a generator or validator
Submit malicious respond or validate calls
Call unregister and use transferFrom to retrieve DRIA
Swap DRIA back to USDC

Additionally, attackers can transfer DRIA to different accounts to operate multiple accounts using this method.

Impact

This vulnerability is particularly concerning because:

The Coordinator has a maximum number of allowed responses/validations
Users can submit malicious responses/validations without maintaining actual stakes

So attacker can earn generator, validator fees without DRIA price risk. And also can manipulate response with multiple accounts.

Tools Used

None

Recommendations

It is recommended to add cooldown periods between registration and unregister.

mapping(address => uint256) public registrationTime;

function register(LLMOracleKind kind) public {

...

registrationTime[msg.sender] = block.timestamp;

}

function unregister(LLMOracleKind kind) public returns (uint256 amount) {

require(block.timestamp >= registrationTime[msg.sender] + MINIMUM_STAKE_DURATION);

...

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

There is no oracle whitelisting

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.