Summary

A vulnerability has been identified in the Statistics contract where the variance calculation can revert due to integer underflow when the mean is greater than any individual data point.

Vulnerability Details

In Statistics.sol:22, the variance calculation function contains a mathematical operation that can cause an underflow. The relevant code section shows:

The vulnerability exists because:

1. The calculation uses unsigned integers (uint256)

2. When mean is larger than data[i], subtraction will underflow

3. No check exists to handle cases where mean > individual data points

4. The current implementation assumes all data points are greater than or equal to the mean

Example of failure:

Impact

• Function reverts for valid statistical calculations

• Unusable for datasets where mean exceeds any data point

• Causes the purchase score validation logic to fail if any given score is less than the mean of all the scores

Tools Used

Manual Review

Recommendations

To address this vulnerability, implement the following measures:

1. Use Absolute Difference

   function variance(uint256[] memory data) internal pure returns (uint256 ans, uint256 mean) {

   mean = avg(data);

   uint256 sum = 0;

   for (uint256 i = 0; i < data.length; i++) {

   // Calculate absolute difference to prevent underflow

   uint256 diff = data[i] > mean ? data[i] - mean : mean - data[i];

   sum += diff * diff;

   }

   ans = sum / data.length;

   }