Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

By allowing validators to input any uint256 value as score, there are multiple places where an overflow can occur

emmanuel

Summary

Lack of overflow protection when performing arithmetic operations in functions handling scores and statistical calculations. Without safeguards, a malicious validator could input maximum values (max(uint256)) to cause overflow during summing operations. This can lead to failures or incorrect calculations in functions like avg, variance, and finalizeValidation

Vulnerability Details

For example, avg sums up all the scores in the data[]:

function avg(uint256[] memory data) internal pure returns (uint256 ans) {

uint256 sum = 0;

for (uint256 i = 0; i < data.length; i++) {

sum += data[i];//overflow

}

ans = sum / data.length;

}

if any validator inputs a score of max(uint256), finalizeValidation will always fail due to the overflow during addition

Other Instances:

Statistics#avg
Statistics#variance:

function variance(uint256[] memory data) internal pure returns (uint256 ans, uint256 mean) {

mean = avg(data);

uint256 sum = 0;

for (uint256 i = 0; i < data.length; i++) {

uint256 diff = data[i] - mean;

sum += diff * diff;//overflow

}

ans = sum / data.length;

}

LLMOracleCoordinator#finalizeValidation:

function finalizeValidation(uint256 taskId) private {

...

for (uint256 g_i = 0; g_i < task.parameters.numGenerations; g_i++) {

...

for (uint256 v_i = 0; v_i < task.parameters.numValidations; ++v_i) {

uint256 score = scores[v_i];

if ((score >= _mean - _stddev) && (score <= _mean + _stddev)) {

innerSum += score; //@audit-info overflow

innerCount++;

// send validation fee to the validator

_increaseAllowance(validations[taskId][v_i].validator, task.validatorFee);

}

...

}

...

}

Impact

Malicious validators can exploit this by inputting extremely high scores, causing arithmetic overflows that result in incorrect averages, variances, or other statistical measures. This can lead to failures in functions such as finalizeValidation, where calculations on these scores are essential for distributing rewards or validating outcomes.

Tools Used

Manual Review

Recommendations

valid score values should be in a range, and revert if validator inputs score outside the range

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.