Dria

Summary

The system allows for a range of possible validator count, where it can be as little as 0 to as many as 10. However some configurations are dangerous as they would give too much power to validators to pick the highest scoring list of assets.

Vulnerability Details

Sellers can list items for buyers, where after a buyer makes a request, that request gets validated and finally finalizeValidation is called to sort out the responses. The important function is getBestResponse, which takes these sorted responses and returns the one with the highest score. Later that is used inside oracleResult to get the output and finally this output is used inside purchase in order to make the buyer purchase the output array of swan assets.

In short the highest scored generator decides which assets the buyer will be able to buy.

However having small number of validators, gives the ability to them to chose which generator did the best work without having any risk. Because of that validators can chose their generator buddy and score it the highest of them all, giving him the right to pick the assets offered to the buyer. These assets can be made expensive in order for the party to profit.

Example:

1. Generator count is 5 and validator count is 1

2. Bob's AI makes a request

3. Alice lists a few items and her generator bot generates a response with her items only

4. Alice manages to be the first (and only) validator so she picks here generator bot

5. Her bot gets the highest score, so his output gets returned by getBestResponse for that task, making Bob's AI purchase Alice's items

Even if Alice doesn't get to be a validator this time, someone else will be and he would promote his items only.

Impact

Validators can manipulate the system when their count is low (1 in this example).

Tools Used

Manual review

Recommendations

Have minimum of 0 or 2+, having only 1 would enable him to control which items are served to the buyer.