LLMOracleCoordinator.finalizeValidation() might revert for calculation of a negative uint256
Summary
LLMOracleCoordinator.finalizeValidation() might revert for calculation of a negative uint256
Vulnerability Details
Line 368 of LLMOracleCoordinator belongs to finalizeValidation(), a function used when a request changes its status to Completed and rewards request's generators and validators by granting them generatorFee and validatorFee respectively. This is the part from which the issue comes:
By default, generationDeviationFactor is 1, so the formula 'mean - generationDeviationFactor * stddev' will always be >= 0. However, this value can be changed by the owner, leading to situations in which it could try to calculate a negative number, this will cause the function revert (newer compiler versions of Solidity do not underflow, but revert instead), leading to a DoS in which a request cannot be completed, and therefore generators and validators will not receive their fees.
Example:
For a given request's generations, mean = 100, stddev = 60 and generationDeviationFactor = 1, Computed number => 100 - 1 * 60 = 40 (valid uint256).
However, if mean = 100, stddev = 60 and generationDeviationFactor = 2, then the calculated value is 100 - 2 * 60 = -20 (invalid uint256). The function will revert.
Impact
Request's cannot be completed because a DoS in which a negative uint256 is calculated. Generators and validators do not receive their corresponding fees because of this.
Tools Used
Manual review, Remix testing
Recommendations
Rearrange the comparison so that no negative numbers are computed, no matter the value of generationDeviationFactor:
Lead Judging Commences
Underflow in `LLMOracleCoordinator::validate`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.