Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Inadequate Length Validation on protocol Field in request Function Allows Truncation of Input Data

eagles

Summary

The LLMOracleCoordinator::request function includes a protocol field, specified as a 32-byte data type. According to documentation, this field should be a short string limited to 32 bytes. However, the function does not validate the length of protocol, meaning if the input exceeds 32 bytes, it will be automatically truncated without warning. This can lead to unexpected outcomes, as only the first 32 bytes are preserved, potentially resulting in incorrect protocol data being stored and processed.

Vulnerability Details

The protocol parameter is expected to be a bytes32 value. If the caller supplies data longer than 32 bytes, it will be silently truncated when cast to bytes32, potentially resulting in data loss or unexpected values. There is no length validation for protocol, making it possible for users to pass in an unintended protocol identifier if unaware of the truncation behavior.

function request(
bytes32 protocol,
bytes memory input,
bytes memory models,
LLMOracleTaskParameters calldata parameters
) public onlyValidParameters(parameters) returns (uint256) {
- //@audit does not validate the length of the protocol field,
(uint256 totalfee, uint256 generatorFee, uint256 validatorFee) = getFee(parameters);
// check allowance requirements
uint256 allowance = feeToken.allowance(msg.sender, address(this));
if (allowance < totalfee) {
revert InsufficientFees(allowance, totalfee);
}
// ensure there is enough balance
uint256 balance = feeToken.balanceOf(msg.sender);
if (balance < totalfee) {
revert InsufficientFees(balance, totalfee);
}
// transfer tokens
feeToken.transferFrom(msg.sender, address(this), totalfee);
// increment the task id for later tasks & emit task request event
uint256 taskId = nextTaskId;
unchecked {
++nextTaskId;
}
emit Request(taskId, msg.sender, protocol);
// push request & emit status update for the task
requests[taskId] = TaskRequest({
requester: msg.sender,
protocol: protocol,
input: input,
parameters: parameters,
status: TaskStatus.PendingGeneration,
generatorFee: generatorFee,
validatorFee: validatorFee,
platformFee: platformFee,
models: models
});
emit StatusUpdate(taskId, protocol, TaskStatus.None, TaskStatus.PendingGeneration);
return taskId;
}

  1. Call the request function with a protocol value exceeding 32 bytes.

  2. Observe that only the first 32 bytes of the protocol value are retained, with the remaining bytes discarded.

  3. The task request may proceed with an incorrect or unintended protocol identifier due to truncation.

Impact

Data truncation of the protocol field may cause misrepresentation or incorrect processing of tasks, which can lead to:

  1. Incorrect protocol identification, potentially causing misrouting or handling of tasks.

Tools Used

Manual code review

Recommendations

Add a validation check in the request function to ensure the protocol string length does not exceed 32 bytes before it is cast to bytes32. This will ensure that the function reverts if the input exceeds the specified limit, preventing unintended truncation.

This check will revert the transaction if the protocol input length exceeds the 32-byte limit, ensuring that only valid data is accepted.

+ require(bytes(protocol).length <= 32, "Protocol string exceeds 32 bytes");
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!