Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Malicious validator can give a scores with a very large number to generation, this may lead unintended behavior for the protocol

0xdemon

Summary

Malicious validator can give a score with a very large number to generation, this may lead unintended behavior for the protocol. Unintended behavior here includes influencing the results of the getBestResponse() function, which has an important role in determining which generation best fits the buyerAgent description and will be purchased then influencing the calculation of the value to determine which validators whose scores fall within the range will receive rewards

Vulnerability Details

Based on contest README, validator NOT TRUSTED, it may malicious and harm protocol

And in addition, the sponsor's statement that the supposed value for scores are 0e18 - 1e18 and the natspec in the codebase states that the function will revert if it exceeds the upper limit

/// @notice Validate requests for a given taskId.

/// @dev Reverts if the task is not pending validation.

/// @dev Reverts if the number of scores is not equal to the number of generations.

/// @dev Reverts if any score is greater than the maximum score.

/// @param taskId The ID of the task to validate.

/// @param nonce The proof-of-work nonce.

/// @param scores The validation scores for each generation.

/// @param metadata Optional metadata for this validation.

function validate(uint256 taskId, uint256 nonce, uint256[] calldata scores, bytes calldata metadata)

public

onlyRegistered(LLMOracleKind.Validator)

onlyAtStatus(taskId, TaskStatus.PendingValidation)

{

........

}

But in reality it is not so, the malicious validator can enter a scores greater than 1e18 and the validate() function does not revert

Coded POC

create any test file and rename it —> copy this code —> run yarn test ‘path/test.test.ts’

Coded POC and result

Impact

Unintended behavior : influencing the results of the getBestResponse() function, which has an important role in determining which generation best fits the buyerAgent description and will be purchased then influencing the calculation of the value to determine which validators whose values fall within the range will receive rewards

Tools Used

Manual Review

Recommended Mitigation

Consider add check for input value of scores

function validate(uint256 taskId, uint256 nonce, uint256[] calldata scores, bytes calldata metadata)

public

onlyRegistered(LLMOracleKind.Validator)

onlyAtStatus(taskId, TaskStatus.PendingValidation)

{

.........

require(0 <= scores <= 10^^18, "Scores out of range");

.........

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Unbounded score values in `validate` function

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.