Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing Non-Empty Input and Output Validation Allows Bypassing Proof-of-Work and Acceptance of Invalid Responses

johny7173

Summary

The LLMOracleCoordinator contract lacks validation checks to ensure that the input in the request function and the output in the respond function are non-empty. Despite comments indicating these fields must be non-empty, empty responses can be submitted, potentially undermining the protocol's integrity.

Vulnerability Details

In the LLMOracleCoordinator contract, both the request and respond functions are critical for processing tasks and responses:

  1. Request Function:

    /// @notice Request LLM generation.
    /// @dev Input must be non-empty.
    function request(
    bytes32 protocol,
    bytes memory input,
    bytes memory models,
    LLMOracleTaskParameters calldata parameters
    ) public onlyValidParameters(parameters) returns (uint256) {
    }

    The comment indicates that input must be non-empty, but there is no code enforcing this constraint. This omission means users can submit tasks with empty inputs.

  2. Respond Function:

    /// @notice Respond to an LLM generation.
    /// @dev Output must be non-empty.
    function respond(uint256 taskId, uint256 nonce, bytes calldata output, bytes calldata metadata)
    public
    onlyRegistered(LLMOracleKind.Generator)
    onlyAtStatus(taskId, TaskStatus.PendingGeneration)
    {
    }

    Similarly, the output parameter is supposed to be non-empty, but there is no validation to enforce this.

Use of input in Proof-of-Work Validation:

The input is utilized in the assertValidNonce function for PoW validation:

function assertValidNonce(uint256 taskId, TaskRequest storage task, uint256 nonce) internal view {
bytes memory message = abi.encodePacked(taskId, task.input, task.requester, msg.sender, nonce);
if (uint256(keccak256(message)) > type(uint256).max >> uint256(task.parameters.difficulty)) {
revert InvalidNonce(taskId, nonce);
}
}

If input is empty, the entropy of the message used for PoW decreases, potentially making it easier for an attacker to find a valid nonce, thereby weakening the security provided by the PoW mechanism.

Lack of output Validation:

Allowing empty output values means that oracles can submit responses without meaningful data. This can lead to:

  • Acceptance of invalid or meaningless outputs.

  • Disruption of protocol functionality.

  • Propagation of incorrect data to users or other contracts relying on the output.

Impact

  • Security Weakening: An empty input reduces the complexity of the PoW nonce, making it easier for attackers to generate valid nonces and spam the network with malicious tasks or responses.

  • Integrity Compromise: Accepting empty output allows oracles to submit non-informative responses, potentially leading to incorrect or harmful outputs being used by the system.

Tools Used

Manual Review

Recommended Mitigation

  1. Enforce Non-Empty input in request Function:

    Add a check to ensure input is not empty:

    require(input.length > 0, "Input must be non-empty");

  2. Enforce Non-Empty output in respond Function:

    Add a check to ensure output is not empty:

    require(output.length > 0, "Output must be non-empty");
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No validation of input and models in `request` function

Appeal created

johny7173 Submitter
12 months ago
inallhonesty Lead Judge
12 months ago
inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

No validation of input and models in `request` function

Incomplete checks in `respond()` of `LLMOracleCoordinator.sol`, `output` is not checked

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.