Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: high
Valid

Some tasks will never be completed because of mathematical error causing underflow

Summary

In the finalizeValidationfunction, it is checked that (score >= _mean - _stddev. This can frequently underflow and cause the task to be never completed.

Vulnerability Details

In the finalizeValidationto ensure that the scores lie inside a certain window [mean-stddev,mean+stddev]the following comparisons are done

for (uint256 v_i = 0; v_i < task.parameters.numValidations; ++v_i) {
uint256 score = scores[v_i];
if ((score >= _mean - _stddev) && (score <= _mean + _stddev)) {
innerSum += score;
innerCount++;
// send validation fee to the validator
_increaseAllowance(validations[taskId][v_i].validator, task.validatorFee);
}
}

(https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleCoordinator.sol#L341-L350)

But since the stddevcan be greater than the meanthis comparison could revert due to underflow and cause the task to never complete.

For example:
Assume the scores are [1,1,1,12]:
1. The mean = (1+1+1+12)/4 = 15/4 = 3
2. The standard Deviation = sqrt(((1-3)^2 + (1-3)^2 + (1-3)^2 + (12-3)^2))/4) = sqrt((4+4+4+81)/4) = sqrt(93/4) = sqrt(23) = 4.

Thus the mean = 3, and the stddev = 4. This causes the comparison to underflow and the task to be DOS'ed.

Impact

Since this is a naturally occuring phenomenon (mean < stddev) and quite common if scores are very spread out, this can occur pretty frequently. And the impact is the task never being completed. Thus the severity should be high.

Tools Used

Manual Review

Recommendations

Ensure that mean >= stddev. If this is not the case, use 0 as the lower bounds for this comparison.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Underflow in `LLMOracleCoordinator::validate`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.