Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Duplicate Oracle Registrations Due to Zero Stake Amounts in register() function inside LLMOracleRegistry.sol contract

invcbull

Summary

In the register() function present in the LLMOracleRegistry.sol contract, there is a vulnerability allowing duplicate oracle registrations if the generatorStakeAmount or validatorStakeAmount is set to zero. This vulnerability arises because the register function relies on a non-zero stake amount to validate uniqueness, so setting it to zero bypasses duplicate registration checks. This issue compromises the reliability and integrity of the oracle network.

Vulnerability Details

Vulnerable Code snippet:

function setStakeAmounts(uint256 _generatorStakeAmount, uint256 _validatorStakeAmount) public onlyOwner {
generatorStakeAmount = _generatorStakeAmount;
validatorStakeAmount = _validatorStakeAmount;
}
function getStakeAmount(LLMOracleKind kind) public view returns (uint256) {
return kind == LLMOracleKind.Generator ? generatorStakeAmount : validatorStakeAmount;
}
function register(LLMOracleKind kind) public {
uint256 amount = getStakeAmount(kind);
// ensure the user is not already registered
if (isRegistered(msg.sender, kind)) {
revert AlreadyRegistered(msg.sender);
}
// ensure the user has enough allowance to stake
if (token.allowance(msg.sender, address(this)) < amount) {
revert InsufficientFunds();
}
token.transferFrom(msg.sender, address(this), amount);
// register the user
registrations[msg.sender][kind] = amount;
emit Registered(msg.sender, kind);
}
function isRegistered(address user, LLMOracleKind kind) public view returns (bool) {
return registrations[user][kind] != 0;
}

Attack Flow:

  1. Stake Amount Configuration: The owner intentionally or unintensionally calls setStakeAmounts with _generatorStakeAmount or _validatorStakeAmount set to zero, creating a zero-stake registration requirement for either oracle type.

  2. Oracle Registration: A user then calls register with kind set to the type with zero stake requirement.

  3. Duplicate Registration:

    • The register function calls getStakeAmount to get the required stake, which returns zero.

    • The isRegistered function checks if registrations[msg.sender][kind] is non-zero to prevent duplicates. However, since the stake amount is zero, this check passes.

    • The registrations[msg.sender][kind] is then set to zero by register, allowing the same user to call register repeatedly, creating duplicate registrations without restriction.

Impact

  • Compromised Oracle Reliability due to duplicate registration: Allowing users to register multiple times without financial stakes can lead to an influx of spam registrations. This diminishes the overall reliability of the oracle network, as it becomes harder to discern legitimate oracles from malicious actors. The integrity of the data provided by the oracles may be questioned, potentially leading to faulty decision-making by dependent systems.

  • Increased Storage Costs: Duplicate registrations inflate on-chain storage requirements, leading to higher operational costs. As the number of duplicate entries grows, it places an unnecessary burden on the blockchain, which could ultimately affect performance and scalability. This inefficiency could also deter future adoption of the oracle system due to cost concerns.

  • Event Log Overload: Each registration triggers a Registered event, resulting in excessive log entries. This log clutter complicates the tracking and auditing of registrations, making it difficult for users and developers to monitor and manage the network effectively. Such disorganization could hinder troubleshooting efforts in the future.

  • Erosion of Trust: If users become aware of the ease with which duplicate registrations can occur, it could lead to a significant erosion of trust in the network's integrity and fairness. A perception of a flawed registration system may dissuade reputable users from participating, ultimately threatening the sustainability and credibility of the oracle network.

  • Potential Exploitation by Malicious Actors: The ability to register multiple times without a stake opens the door for malicious actors to exploit the system. They could create numerous fraudulent oracle accounts, overwhelming the network with false data or manipulating the system to their advantage, leading to potentially severe financial repercussions for users relying on accurate oracle information.

Tools Used

Recommendations

  • Enforce Minimum Stake Amounts in setStakeAmounts: Update setStakeAmounts to require positive, non-zero values for generatorStakeAmount and validatorStakeAmount.

function setStakeAmounts(uint256 _generatorStakeAmount, uint256 _validatorStakeAmount) public onlyOwner {
require(_generatorStakeAmount > 0, "Generator stake amount must be greater than zero");
require(_validatorStakeAmount > 0, "Validator stake amount must be greater than zero");
generatorStakeAmount = _generatorStakeAmount;
validatorStakeAmount = _validatorStakeAmount;
}

  • Direct Duplicate Check in register: Add a check within register to verify that a user is not already registered for a specific oracle type, regardless of stake amount.

Implementing these changes will help prevent duplicate registrations, ensuring the oracle system maintains its integrity and reliability.

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.