Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Any malicious validator can DOS a task

anonymousjoe

Summary

Since becoming a validator is easy (stake an amount: which can be obtained using a flash loan), and the fact that a validator can give any score for a generation. A malicious validator can give the score as type(uint256).maxas the score which will DOS the task(the task can never be completed) because when calculating the mean of the scores, it will overflow and revert.

Vulnerability Details

During the validation period, any registered validator can validate any given task. So if a malicious validator gives type(uint256).maxas the score for a generation. During the calculation of mean, the finalizeValidationwill overflow and revert.

Assume the following scenario:

A task is in the pending validation stage and it needs 3 validations and 1 generation.
The malicious validator(who is registered) validates and gives a score of type(uint256).max
The other 2 validators come and give scores of 1 and 2 respectively.
When the finalizeValidationfunction is called at the end of the final validator, the mean of the scores is being calculated:
(uint256 _stddev, uint256 _mean) = Statistics.stddev(scores);
(https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleCoordinator.sol#L335C13-L335C74)

Inside this stddevfunction, the mean is being calculated as follows:
function avg(uint256[] memory data) internal pure returns (uint256 ans) {
uint256 sum = 0;
for (uint256 i = 0; i < data.length; i++) {
sum += data[i];
}
ans = sum / data.length;
}
(https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/libraries/Statistics.sol#L8-L14)

Here data[3] = {type(uint256).max, 1, 2}. Thus when sum += data[i]is done, the sum will overflow and revert the entrie validation process. This task thus will never be completed.

Impact

Complete DOS of any task from any buyer at a low cost (gas fees only). The stake Amount to become a validator can be refunded. Thus the impact is high and the likelihood is also high (can be performed by anyone)

Tools Used

Manual Review

Recommendations

Set a cap for the scores. (Check to ensure that all scores are below 1e18 for example).

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Unbounded score values in `validate` function

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.