Submission Details
Severity:
Incorrect Calculation of Fees in `LLMOracleManager.getFee()`
## Summary
`LLMOracleManager.getFee()` incorrectly calculates the `totalFees` to be paid by the buyer agent.
## Vulnerability Details
- `LLMOracleManager.getFee()` function is used to calculate the total fees (platform + generator fees + validators fees) to be paid by the buyer agent when he makes a purchase request via `BuyerAgent.oraclePurchaseRequest` or a state update request via `BuyerAgent.oracleStateRequest`
```javascript
function request(
bytes32 protocol,
bytes memory input,
bytes memory models,
LLMOracleTaskParameters calldata parameters
) public onlyValidParameters(parameters) returns (uint256) {
(uint256 totalfee, uint256 generatorFee, uint256 validatorFee) = getFee(parameters);
//...
}
```
where the fees are calculated based on the task difficulty and the number of validators and generators:
```javascript
function getFee(
LLMOracleTaskParameters calldata parameters
) public view returns (uint256 totalFee, uint256 generatorFee, uint256 validatorFee) {
uint256 diff = (2 << uint256(parameters.difficulty));
generatorFee = diff * generationFee;
validatorFee = diff * validationFee;
totalFee = //<< @audit : incorrect calculation
platformFee +
(parameters.numGenerations * (generatorFee + (parameters.numValidations * validatorFee)));
}
```
- But as can be noticed in the `getFee()`; the `totalFee` is incorrectly calculated as:
```javascript
totalFee =
platformFee +
parameters.numGenerations *
(generatorFee + parameters.numValidations * validatorFee);
```
where the `generatorFee` is mistakenly placed inside the parentheses of the validator fees calculation, while it should be :
```diff
totalFee =
platformFee +
- parameters.numGenerations *
- (generatorFee + parameters.numValidations * validatorFee);
+ parameters.numGenerations * generatorFee
+ parameters.numValidations * validatorFee;
```
## Impact
- If the task doesn't require validation, then the `totalFee` calculated and paid by the buyer agent will be enough to cover one generator only , and the rest of the generators will be paid by the coordinator contract balance taht is allocated for other tasks.
- If the task requires validation, then the user might be paying less/more fees depending on the number of generators , validators, generatorFee and validatorFee.
## Proof of Concept
[LLMOracleManager.getFee() function/ L119](https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleManager.sol#L119)
```javascript
function getFee(LLMOracleTaskParameters calldata parameters)
public
view
returns (uint256 totalFee, uint256 generatorFee, uint256 validatorFee)
{
//...
totalFee =
platformFee + (parameters.numGenerations * (generatorFee + (parameters.numValidations * validatorFee)));
}
```
## Tools Used
Manual Review.
## Recommendations
```diff
function getFee(LLMOracleTaskParameters calldata parameters)
public
view
returns (uint256 totalFee, uint256 generatorFee, uint256 validatorFee)
{
//...
totalFee =
- platformFee + (parameters.numGenerations * (generatorFee + (parameters.numValidations * validatorFee)));
+ platformFee + parameters.numGenerations * generatorFee + parameters.numValidations * validatorFee;
}
```
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420 USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.