Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

The case where `_stddev > _mean` is not handled in `LLMOracleCoordinator.finalizeValidation()`

merlin

Summary

The case where _stddev > _mean is not addressed in LLMOracleCoordinator.finalizeValidation(), which causes a revert when called by the last validator.

Vulnerability Details

Statistics.stddev calculates the mean and standard deviation from the scores of validators for each generation.

// compute the mean and standard deviation
(uint256 _stddev, uint256 _mean) = Statistics.stddev(scores);

Since validators can submit scores as any value (there is no validation), malicious validators can provide a score that results in the standard deviation being greater than the mean. This, in turn, will cause the transaction to fail due to an overflow error:

for (uint256 v_i = 0; v_i < task.parameters.numValidations; ++v_i) {
uint256 score = scores[v_i];
if ((score >= _mean - _stddev) && (score <= _mean + _stddev)) { /// _mean < _stddev == error
innerSum += score;
innerCount++;
// send validation fee to the validator
_increaseAllowance(validations[taskId][v_i].validator, task.validatorFee);
}
}

Additionally, at the end of the finalizeValidation function:

// ignore lower outliers , mean < generationDeviationFactor * stddev == overflow error
if (generationScores[g_i] >= mean - generationDeviationFactor * stddev) {
_increaseAllowance(responses[taskId][g_i].responder, task.generatorFee);
}

Impact

Validation will not be finalized, the requester will not receive the best response, and generators and validators will not be paid.

Tools Used

Manual review

Recommendations

Consider handling the case where _mean < _stddev.

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Underflow in `LLMOracleCoordinator::validate`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.