Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Improper range used for validator score acceptance

goran

Summary

Oracle coordinator stores deviation factors generationDeviationFactor and validationDeviationFactor. The coordinator selects generators eligible for a reward by checking if they got scored within generationDeviationFactor of standard deviations away from the mean. Presumably same logic should be used when selecting validators eligible for reward. However, validationDeviationFactor is unused so only validators whose scores are within 1 standard deviation are rewarded.

Vulnerability Details

Constant validationDeviationFactor is unused when selecting validators eligible for a reward in the following chunk of code:

if ((score >= _mean - _stddev) && (score <= _mean + _stddev)) {
innerSum += score;
innerCount++;
// send validation fee to the validator
_increaseAllowance(validations[taskId][v_i].validator, task.validatorFee);
}

Impact

Some validators unfairly do not receive rewards - ie. their score is 1.5 stddevs from the mean, but only 1 stddev gets accepted event though validationDeviationFactor is set to 2.

Tools Used

Manual review

Recommendations

Change implementation to update the acceptance range in the following way (but should also check for underflow):

- if ((score >= _mean - _stddev) && (score <= _mean + _stddev)) {
+ if ((score >= _mean - validationDeviationFactor * _stddev) && (score <= _mean + validationDeviationFactor * _stddev)) {
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.