Dria

Summary

A misbehaving or malicious validation oracle can submit an unreasonably high score, potentially causing arithmetic overflow during calculations.

Vulnerability Details

Validation oracles are expected to submit their results using the LLMOracleCoordinator::validate method, providing scores for each generator oracle response (LLMOracleCoordinator.sol#L260).

The score variable is of type uint256 and is expected, as specified by the sponsor, to fall within the range of 0 to 1e18:

what are the usual score values range from the node ?

Çağla Çelik — Oct 31, 2024 at 8:44 AM
Scores are expected to be between 0e18 and 1e18

https://discord.com/channels/1127263608246636635/1299335387898183710/1301451630977220629

If scores remain within the specified range (0 to 1e18), overflow is realistically impossible. However, this range is not enforced within the validate method, allowing a misbehaving oracle to submit an unreasonably high value, up to uint256.max. The contract accepts these values without reverting. However, when the last validator submits scores, the finalizeValidation method is executed, which performs statistical computations:

https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/llm/LLMOracleCoordinator.sol#L304

https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/llm/LLMOracleCoordinator.sol#L335

If the scores contain such unreasonably high values, this may lead to arithmetic overflow during average value calculations:

https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/libraries/Statistics.sol#L11

As a result, the buyer will be unable to execute the purchase call, as the task cannot transition to TaskStatus.Completed.

Impact

Task validation cannot be finalized due to arithmetic overflow, blocking purchases.

Tools Used

Manual review

Recommendations

Enforce the score submitted to validate to remain within the range of 0 to 1e18, reverting the call if these bounds are breached.