Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Malicious Validators Can Cause DoS to a Request in `LLMOracleCoordinator` by Submitting Excessive Scores than expected in `validate` function.

Gladiators

Summary

Validators are required to validate generated output by providing an array of scores in the validate function. The values in the scores array are expected to be between 0e18 and 1e18, according to sponsor specifications. However, no range check is in place for the values in the scores array, which allows a malicious validator to submit values outside the expected range. This vulnerability can result in a denial of service (DoS) attack on a specific request or task.

Vulnerability Details

The LLMOracleCoordinator::validate() function accepts a uint256 array of scores, which should ideally be within the range of 0e18 to 1e18 as per sponsor instructions. However, there is no validation to enforce this range. As a result, a malicious validator could pass excessively large values, such as 100e18 or 1000e18, leading to undesirable behavior.

Consider the following scenario:

Number of Generations: 1
Number of Validations Required: 5
Validator Scores: [0.5, 0.6, 0.5, 10 (from a malicious validator), 0.6] (Ignoring the 18 decimals)

In this case, when the finalizeValidation function is called after the last validation, it will fail due to the skewed scores caused by the malicious validator. Specifically:

Standard Deviation of Validator Scores: 3.7802645410077
Mean of Validator Scores: 2.44

The following code snippet will revert due to the malicious score:

if ((score >= _mean - _stddev) && (score <= _mean + _stddev)) {

This will cause a denial of service (DoS) for the request due to the single malicious validator score.

relevant links :-
https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleCoordinator.sol#L260
https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleCoordinator.sol#L343

Impact

The potential impacts of this attack by a malicious validator include:

The targeted request cannot be validated or completed forever.
Genuine validators and generators lose their fee due to the failed validation.

Tools Used

Manual review

Recommendations

Add the following check in the validate function:

require(scores[i] >= 0e18 && scores[i] <= 1e18);

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Unbounded score values in `validate` function

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.