Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

`variance` will revert in some cases

pyro

Summary

variance will revert in some cases due to underflow

Vulnerability Details

finalizeValidation is used to finalize any tasks that require validation, where that function invokes stddev, and then stddev uses variance, where the actual issue is. variance is used to calculate the average and mean of an array of scores. Where the function performs some interesting math finding the diff by subtracting the mean from each data index - uint256 diff = data[i] - mean;

function variance(uint256[] memory data) internal pure returns (uint256 ans, uint256 mean) {
mean = avg(data);
uint256 sum = 0;
for (uint256 i = 0; i < data.length; i++) {
uint256 diff = data[i] - mean;
sum += diff * diff;
}
ans = sum / data.length;
}

However that code is dangerous as it will lead to an underflow in most cases, as the mean, also known as average, is gonna be bigger then the smallest instances of data.

Example:

  1. We call variance for this set of scores - [10, 15, 20]

  2. mean will be calculates as 15 using the avg function

  3. The first loop will revert as we do diff => data[0] - mean => 10 - 15 => underflow

Impact

Core function will revert, causing the whole system to freeze the tasks that require validation.

Tools Used

Manual review

Recommendations

Use an int to calculate the diff.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Underflow in computing variance

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!