Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Calling the `withdrawPlatformFees` function will prevent users from withdrawing rewards

acai

Summary

contracts/llm/LLMOracleCoordinator.sol

The withdrawPlatformFees function will withdraw all feeToken from the LLMOracleCoordinator contract. This will cause the token balance of the LLMOracleCoordinator contract to be 0, making it impossible for validator and responder to obtain rewards from the LLMOracleCoordinator contract.

Vulnerability Details

After executing the withdrawPlatformFees function, the contract has no tokens.

function withdrawPlatformFees() public onlyOwner {

feeToken.transfer(owner(), feeToken.balanceOf(address(this)));

}

Even if the finalizeValidation function authorizes the reward amount to the user through the _increaseAllowance function, the user cannot withdraw the reward.

function finalizeValidation(uint256 taskId) private {

TaskRequest storage task = requests[taskId];

// compute score for each generation

for (uint256 g_i = 0; g_i < task.parameters.numGenerations; g_i++) {

...

for (uint256 v_i = 0; v_i < task.parameters.numValidations; ++v_i) {

uint256 score = scores[v_i];

if ((score >= _mean - _stddev) && (score <= _mean + _stddev)) {

innerSum += score;

innerCount++;

// send validation fee to the validator

_increaseAllowance(validations[taskId][v_i].validator, task.validatorFee);

}

...

}

...

}

Impact

validator and responder could not obtain rewards from the LLMOracleCoordinator contract.

Tools Used

Recommendations
Modification suggestions:

When issuing rewards, do not use the form of authorization, and send tokens directly.
The withdrawPlatformFees function does not transfer all tokens, leaving some tokens for validator and responder to claim rewards.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`withdrawPlatformFees` withdraws the entire balance

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.