Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`LLMOracleRegistry::validate` lacks checks sanity checks on `scores`

tejaswarambhe

Summary

A malicious validator can pass in incorrect score as it is not being sanitized.

Vulnerability Details

The protocol allows anyone to become a validator via LLMOracleRegistry::register function, it must be noted that there is no whitelisting mechanism or a way to remove oracles by the admins.

Malicious actor can register themselves as validator and fairly perform the Proof-of-Work nonce but pass an incorrect score in LLMOracleCoordinator::validate function as it lacks enough checks.

function validate(uint256 taskId, uint256 nonce, uint256[] calldata scores, bytes calldata metadata){
// ...
// check nonce (proof-of-work)
assertValidNonce(taskId, task, nonce); <@ // Does not sanitize the scores array in any way.
// ...
}

Such actors can actually keep on listening for others calling LLMOracleCoordinator::validate function and just pass a mean score. This allows them to actually not do any work other than calculating nonce.

Impact

Malicious validators would pass incorrect scores affecting the outcome

Tools Used

Manual Review

Recommendations

Introduce whitelisting in LLMOracleRegistry.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Unbounded score values in `validate` function

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.