A malicious user can register multiple wallets to act as generators and validators, thus farming fees, and disrupting the system.
Vulnerability Details
Anyone can register as a generator or validator by staking tokens, even without intending to operate as a genuine oracle node.
With the oracle parameters limiting the number of generations and validations to 10 at deployment, a malicious actor can exploit this by registering multiple wallets as generators and validators.
These addresses, not functioning as legitimate oracle nodes and without a slashing mechanism to penalize misconduct, can quickly respond to pending generations or validations, thereby farming fees. Additionally, fake validators can further disrupt the system by submitting incorrect scores that are close in range but still differ from legitimate scores. This distorts the mean and standard deviation used in fee distribution, resulting in genuine validators being deprived of their rightful earnings.
Impact
The generated results for requests will be compromised.
Legitimate generators and validators may be denied their fees, reducing the effectiveness and reliability of the oracle system.
Tools Used
Manual Review
Recommendations
Enforce a whitelist for node registration to ensure only trusted addresses can participate.
Introduce a slashing mechanism to penalize and deter malicious activity.
Lead Judging Commences
There is no oracle whitelisting
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.