Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`finalizeValidation` in LLMOracleCoordinator.sol will revert on highly dispersed score values

zxriptor

Summary

In the case of highly dispersed score values, mean could be less than standard deviation therefore causing calculations to revert.

Vulnerability Details

In the score filtering logic of finalizeValidation, the protocol uses the difference between the mean and standard deviation as a lower bound to cut off outliers, relying on the assumption that the mean is greater than the standard deviation.

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleCoordinator.sol#L343

// compute the score for this generation as the "inner-mean"

// and send rewards to validators that are within the range

uint256 innerSum = 0;

uint256 innerCount = 0;

for (uint256 v_i = 0; v_i < task.parameters.numValidations; ++v_i) {

uint256 score = scores[v_i];

if ((score >= _mean - _stddev) && (score <= _mean + _stddev)) { // <-- substraction here is the potential issue

innerSum += score;

innerCount++;

// send validation fee to the validator

_increaseAllowance(validations[taskId][v_i].validator, task.validatorFee);

}

However, this assumption is not always valid, as we will demonstrate further.

PoC

Let’s consider the following example with four validation oracles returning the corresponding scores:

[0.01 ether, 0.02 ether, 0.03 ether, 0.90 ether]

It is clear that the fourth oracle is an outlier that needs to be excluded from the awards, and its data should be rejected. However, let’s examine what the calculations will show in this case:

mean = (0.01 + 0.02 + 0.03 + 0.90) / 4 = 0.24

variance = ((0.01 - 0.24)^2 + (0.02 - 0.24)^2 + (0.03 - 0.24)^2 + (0.90 - 0.24)^2) / 4 = 0.14525

stddev = sqrt(0.14525) = 0.38111678

As clearly illustrated by the calculation results, the mean is less than the standard deviation. Therefore, the code at line #343 will revert due to arithmetic underflow.

Impact

Task validation cannot be finalized due to arithmetic underflow, blocking purchases.

Tools Used

Manual review

Recommendations

Use zero if the mean is less than the standard deviation.
Alternatively, consider employing other methods to filter out outliers.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Underflow in `LLMOracleCoordinator::validate`

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.