The variance might be greater than the mean, leading to an overflow. This can cause the oracle to fail in returning correct data, resulting in the seller and buyer losing their fees.
Summary
The variance might be greater than the mean, leading to an overflow. This can cause the oracle to fail in returning correct data, resulting in the seller and buyer losing their fees.
Vulnerability Details
Background:
-
The basic call sequence for a purchase is: the seller lists items and pays the listing fee during the sell phase, the buyer makes a purchase request and pays the oracleFee during the buy phase, and then the purchase function is called to execute the transaction.
-
During the calculation, the mean is directly subtracted from the variance. Since all data comes from LLMs, it cannot be guaranteed that the variance will always be less than the mean. If the variance is larger, it can cause underflow, which prevents the oracle from obtaining a result.
for (uint256 v_i = 0; v_i < task.parameters.numValidations; ++v_i) {uint256 score = scores[v_i];@> if ((score >= _mean - _stddev) && (score <= _mean + _stddev)) {innerSum += score;innerCount++; -
Additionally, since anyone can become a node, there is no penalty for constructing malicious data. Therefore, the score data received here may be overflowed by malicious constructs.
Impact
The seller and buyer may lose their fees, and the NFT transaction will not be completed.
Tools Used
manual
Lead Judging Commences
Underflow in `LLMOracleCoordinator::validate`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.