The variance calculation may overflow, leading to the oracle being unable to return correct data.
Summary
The variance calculation may overflow, causing the oracle to be unable to return correct data, which ultimately results in the seller and buyer losing fees and being unable to complete the transaction.
Vulnerability Details
Background:
-
The basic call sequence for a purchase is: the seller lists items and pays the listing fee during the sell phase, the buyer makes a purchase request and pays the oracleFee during the buy phase, and then the purchase function is called to execute the transaction.
-
If the oracle is unable to provide correct data, the buyer will be unable to make a purchase.
-
In the function that calculates variance, it computes the difference between all ratings and the average. We know that as long as not all ratings are equal, there will be some values greater than the average and some less than the average among all the values. When the protocol calculates the difference, it always subtracts the average from the rating, which can result in negative numbers in the uint calculation, causing a revert.
mean = avg(data);uint256 sum = 0;for (uint256 i = 0; i < data.length; i++) {uint256 diff = data[i] - mean;sum += diff * diff;}
Impact
Both the seller and the buyer will lose their fees and be unable to complete the transaction. As a result, the protocol functions are almost entirely unusable.
Tools Used
manual
Recommendations
Lead Judging Commences
Underflow in computing variance
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.