Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Kind Validation in `register` Function Allows Invalid Registration Types

pelz

Summary

The register function in LLMOracleRegistry.sol allows users to register with an invalid LLMOracleKind type, potentially leading to unintended registrations. Because LLMOracleKind is defined as an enum, any arbitrary integer can be cast to LLMOracleKind, allowing a user to bypass the expected validation. This may cause the registry to emit incorrect event types, incorrectly process fees, and mislabel users within the system.

Vulnerability Detail

The register function uses the LLMOracleKind enum to allow a user to register as either a Generator or a Validator:

enum LLMOracleKind {
Generator,
Validator
}

However, the function does not validate that the input kind is restricted to these specific enum values. Because kind is not checked against valid enum values, a user can input arbitrary values, causing the registration to proceed with an invalid kind and misleading event emissions. This oversight could lead to users mistakenly being registered with incorrect roles and paying unintended fees.

Impact

By exploiting this vulnerability, users can:

  • Register with an undefined or unexpected kind, leading to inconsistencies in user roles within the registry.

  • Potentially pay incorrect fees or bypass the correct validation checks associated with the expected Generator or Validator roles.

  • Cause confusion or misuse in the system as events emit incorrect registration types.

Code Snippet

function register(LLMOracleKind kind) public { // @audit can register for any kind other than generator/validator
uint256 amount = getStakeAmount(kind);
// ensure the user is not already registered
if (isRegistered(msg.sender, kind)) {
revert AlreadyRegistered(msg.sender);
}
// ensure the user has enough allowance to stake
if (token.allowance(msg.sender, address(this)) < amount) {
revert InsufficientFunds();
}
token.transferFrom(msg.sender, address(this), amount);
// register the user
registrations[msg.sender][kind] = amount;
emit Registered(msg.sender, kind); // @audit will emit an unknown kind
}

Recommendation

Add a check at the start of the function to ensure that kind is a valid LLMOracleKind enum value (either Generator or Validator). This can be done by verifying that the kind is either 0 or 1, preventing any unintended kind values from being processed.

Suggested fix:

function register(LLMOracleKind kind) public {
// Ensure the kind is valid
if (kind != LLMOracleKind.Generator && kind != LLMOracleKind.Validator) {
revert InvalidKind();
}
uint256 amount = getStakeAmount(kind);
// Ensure the user is not already registered
if (isRegistered(msg.sender, kind)) {
revert AlreadyRegistered(msg.sender);
}
// Ensure the user has enough allowance to stake
if (token.allowance(msg.sender, address(this)) < amount) {
revert InsufficientFunds();
}
token.transferFrom(msg.sender, address(this), amount);
// Register the user
registrations[msg.sender][kind] = amount;
emit Registered(msg.sender, kind);
}

By validating the kind input, we prevent users from registering with invalid types, preserving the integrity of the registration process and ensuring that only legitimate Generator or Validator roles are registered.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.