Submission Details
Severity:
Incomplete checks in `respond()` of `LLMOracleCoordinator.sol`
Summary
Vulnerability Details
`During respond of Oracle outputshould not be empty`
Its a crusial check that not implemented in code.
Let see what happens when this check missed
oracle sepond with empty Output
received enough responces
let say
task.parameters.numValidations == 0soTaskStatus == completedBuyerAgent call
purchase()where it fetch output == emptyassets fetched from output == empty
operation preformed on empty
function respond(uint256 taskId, uint256 nonce, bytes calldata output, bytes calldata metadata)
public
onlyRegistered(LLMOracleKind.Generator)
onlyAtStatus(taskId, TaskStatus.PendingGeneration)
{
.......
.......
// check if we have received enough responses & update task status
bool isCompleted = responses[taskId].length == uint256(task.parameters.numGenerations); // @audit what if `TaskStatus.PendingValidation` and another response pushed to `responses[]`
if (isCompleted) {
if (task.parameters.numValidations == 0) {
// no validations required, task is completed
task.status = TaskStatus.Completed;
emit StatusUpdate(taskId, task.protocol, TaskStatus.PendingGeneration, TaskStatus.Completed);
} else {
// now we are waiting for validations
task.status = TaskStatus.PendingValidation;
emit StatusUpdate(taskId, task.protocol, TaskStatus.PendingGeneration, TaskStatus.PendingValidation);
}
}
}
Impact
Tools Used
Manual Review
Recommendations
Should check that outputis not empty
Updates
Lead Judging Commences
inallhonesty 8 months ago
Submission Judgement Published Assigned finding tags:
Incomplete checks in `respond()` of `LLMOracleCoordinator.sol`, `output` is not checked
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420 USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.