Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

`finalizeValidation` will likely underflow

pyro

Summary

finalizeValidation will likely underflow due to a multiplication and subtraction from the mean.

Vulnerability Details

finalizeValidation is used to calculate rewards for all generators and validator that were part of performing the task. That function ends with paying generators who have scores bigger than mean - generationDeviationFactor * stddev.

for (uint256 g_i = 0; g_i < task.parameters.numGenerations; g_i++) {
if (generationScores[g_i] >= mean - generationDeviationFactor * stddev) {
_increaseAllowance(responses[taskId][g_i].responder, task.generatorFee);
}
}

However the function does not take into account that generationDeviationFactor is a global value, used for all tasks, but both stddev and mean are values different per task. This makes it likely that some tasks will have bigger generationDeviationFactor * stddev than mean, leading to an underflow in the above code.

Not only that, but validators can also play a part here, where a validator can accidentally or purposefully skew the score in order for this to revert and no one to get paid. There are many ways do describe this bug and many other to reach the same standpoint, however it's root lie in this expression - mean - generationDeviationFactor * stddev

Impact

Some tasks will not be finalized, making their validators and allocators lose money, together with the users who listed NFTs for that task.

Tools Used

Manual review

Recommendations

Convert these values to int before performing this math operation.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Underflow in `LLMOracleCoordinator::validate`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.