Validation can't be finalized for certain generation deviation factors
Summary
When finalizing the validations coordinator will also calculate which generators (responders) are eligible for rewards. It also aims to filter out lower outliers:
There is an implicit assumption here that mean is greater than generationDeviationFactor * stddev, because if it is not, the check will underflow and TX will revert. The likelihood of this happening increases the higher value generationDeviationFactor is set to. The default value for generationDeviationFactor is 1, but it can be changed by oracle coordinator's owner at any point.
Vulnerability Details
Let's say the number of validators for a given task is 3 and the number of generators is 1. Here's a scenario that triggers the bug:
in round 1, validators score the response with scores 1, 100 and 200 respectively. All good
at the end of round 1, coordinator's owner calls
setDeviationFactorsand setsgenerationDeviationFactorto 2 (previously it was default value of1)in round 2, 1st and 2nd validators score the new task's response with scores of 1 and 100 again. Last validator also wants to score new task's response by 200. However call to
validatewill now fail, becausemean - generationDeviationFactor * stddevunderflows.
Impact
Due to this bug not all scoring outcomes are possible and that impacts the fairness of final scoring and reward distribution.
Tools Used
Manual review
Recommendations
Change implementation to avoid underflow, ie.:
Lead Judging Commences
Underflow in `LLMOracleCoordinator::validate`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.