Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: high
Valid

When calculating the difference, no size judgment is performed, which will cause rollback.

Summary

contracts/llm/LLMOracleCoordinator.sol

In the avg function, the calculation of the diff parameter may cause rollback due to the subtraction operation, which will affect the normal operation of the function and make the protocol unable to operate normally.

Vulnerability Details

Here are the affected functions

function variance(uint256[] memory data) internal pure returns (uint256 ans, uint256 mean) {
mean = avg(data);
uint256 sum = 0;
for (uint256 i = 0; i < data.length; i++) {
uint256 diff = data[i] - mean;
sum += diff * diff;
}
ans = sum / data.length;
}

For example:

data = [1, 3, 3, 3, 2];
mean = 2;
while i = 0
uint256 diff = data[i] - mean = 1 - 2 (ERROR!)

Impact

This problem affects the normal operation of the function and makes the protocol unable to operate normally.

Tools Used

Recommendations

It is recommended to calculate the relative value and determine the size first when subtracting

function variance(uint256[] memory data) internal pure returns (uint256 ans, uint256 mean) {
mean = avg(data);
uint256 sum = 0;
for (uint256 i = 0; i < data.length; i++) {
uint256 diff;
if (data[i] > mean) {
diff = data[i] - mean;
} else {
diff = mean - data[i];
}
sum += diff * diff;
}
ans = sum / data.length;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Underflow in computing variance

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.