Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Owner Can Withdraw Generator and Validator Fees Through `withdrawPlatformFees()`

0xvd

Summary

The withdrawPlatformFees() function in LLMOracleCoordinator allows the owner to withdraw all funds from the contract, including generator and validator fees that are meant to be claimed by the respective service providers.

Vulnerability Details

The withdrawPlatformFees() function transfers the entire contract balance to the owner without distinguishing between platform fees and fees reserved for generators and validators:

function withdrawPlatformFees() public onlyOwner {

@ feeToken.transfer(owner(), feeToken.balanceOf(address(this)));

}

The issue arises because:

When tasks are created, the total fees (platform, generator, and validator fees) are transferred to the contract:

// In request() function:

feeToken.transferFrom(msg.sender, address(this), totalfee);

Fees for generators and validators are held in the contract until task completion:

// In finalizeValidation():

_increaseAllowance(validations[taskId][v_i].validator, task.validatorFee);

_increaseAllowance(responses[taskId][g_i].responder, task.generatorFee);

The owner can call withdrawPlatformFees() at any time and take all funds, including those reserved for pending payments.

Example scenario:

// 1. Task created with fees:

platformFee = 10 tokens

generatorFee = 50 tokens

validatorFee = 40 tokens

Total = 100 tokens transferred to contract

// 2. Before validation completes, owner calls:

withdrawPlatformFees()

// Withdraws all 100 tokens, including the 90 tokens meant for generators/validators

Impact

Generators can lose earned fees for completed work

Validators can lose earned fees for validation services

Direct loss of funds meant for service providers

Tools Used

Manual Review

Recommendations

Track platform fees in a separate variable (e.g., platformFeeBalance) and update it exclusively when platform fees are collected.

Modify withdrawPlatformFees to transfer only the platformFeeBalance, leaving generatorFee and validatorFee balances unaffected. This would ensure that only platform fees are accessible to the owner.

Implementing these changes would prevent the contract from unintentionally transferring responder and validator funds, ensuring accurate reward distribution.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`withdrawPlatformFees` withdraws the entire balance

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.