Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Overflow error in the `variance() function that prevents the validation from being finalized

merlin

Summary

After the task status changes to PendingValidation, validators begin validating requests for the specified taskId in LLMOracleCoordinator. The final validator then computes the validation scores for that task. When calculating variance in the variance function: uint256 diff = data[i] - mean; could return a negative value if data[i] < mean, which is not permitted in uint256.

Vulnerability Details

Let’s examine how validation scores are calculated for a given task:

Suppose numGenerations == 2 and numValidations == 3.

The last validator (oracle) triggering the private function finalizeValidation. In the loop, scores are obtained for the first generation:

// get the scores for this generation, i.e. the g_i-th element of each validation

uint256[] memory scores = new uint256[]();

for (uint256 v_i = 0; v_i < task.parameters.numValidations; v_i++) {

scores[v_i] = validations[taskId][v_i].scores[g_i]; // g_i == 0

}

After this, the stddev function from the Statistics library is called to calculate the mean and standard deviation:

(uint256 _stddev, uint256 _mean) = Statistics.stddev(scores);

The scores assigned by validators for the first generation are passed to the stddev function. The stddev function calls the variance function, which does not account for case where a score from some validator might be lower than the mean score, causing a revert:

(uint256 _variance, uint256 _mean) = variance(data);

function variance(uint256[] memory data) internal pure returns (uint256 ans, uint256 mean) {

mean = avg(data);

uint256 sum = 0;

for (uint256 i = 0; i < data.length; i++) {

uint256 diff = data[i] - mean; /// data[i] < mean

sum += diff * diff;

}

ans = sum / data.length;

}

A score from a validator might be lower than the mean score, either due to a malicious validator or as a result of natural validation.

Impact

Validation will not be finalized, the requester will not receive the best response, and generators and validators will not be paid.

Tools Used

Manual review

Recommendations

Consider handling a scenario where the score is less than the mean score.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Underflow in computing variance

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.