Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Inability to Unregister Already Registered Oracle Users in LLMOracleRegistry.sol

invcbull

Summary

In the unregister() function present in the LLMOracleRegistry.sol contract, there exists a vulnerability that prevents registered users from successfully unregistering as oracles. This issue arises because the function allows users to unregister without adequately validating their registration status against the actual stake amounts. As a result, users may find themselves stuck as registered oracles indefinitely, which can lead to potential misuse and operational inefficiencies within the oracle network.

Vulnerability Details

Vulnerable Code Snippet:

/// @notice Remove registration of an Oracle.

/// @dev Reverts if the user is not registered.

/// @param kind The kind of Oracle to unregister.

/// @return amount Amount of stake approved back.

function unregister(LLMOracleKind kind) public returns (uint256 amount) {

amount = registrations[msg.sender][kind];

// ensure the user is registered

if (amount == 0) {

revert NotRegistered(msg.sender);

}

// unregister the user

delete registrations[msg.sender][kind];

emit Unregistered(msg.sender, kind);

// approve its stake back

token.approve(msg.sender, token.allowance(address(this), msg.sender) + amount);

}

Attack Flow:

Stake Amount Configuration: The owner could set the generatorStakeAmount or validatorStakeAmount to zero using the setStakeAmounts function, leading to a situation where no financial commitment is required for registration.
User Registration: Users register as oracles without a stake, since the stake amounts are zero. This creates an entry in the registrations mapping with an amount of zero.
Failed Unregistration: When a user attempts to unregister, the function checks if registrations[msg.sender][kind] is non-zero. If the user registered without any stake, the function will revert with the NotRegistered error, even though they appear registered in the context of the oracle system.
Infinite Registration Loop: Since the user cannot unregister, they remain in the system without any stake. This creates a situation where the registration system becomes cluttered with users who cannot properly unregister, leading to inefficiencies and potential misuse.

Impact

Inability to Remove Users: Users who wish to unregister cannot do so, leading to a growing pool of inactive or unnecessary registrations. This may complicate management and tracking of registered oracles within the system.

Operational Inefficiencies: The inability to unregister can result in increased storage costs and operational overhead as the network is burdened with stale registrations that serve no purpose.
Cluttered Registration Space: Over time, the registrations mapping can become cluttered with entries that are effectively useless, complicating future audits and event logging for active oracles.
Loss of Trust: If users perceive the oracle system as having flawed management for registered entities, it may lead to distrust in the network’s reliability. This could dissuade new users from participating, ultimately threatening the sustainability of the oracle system and protocol

Tools Used

Manual Review

Recommendations

Prevent Zero Stake Amounts: Update the setStakeAmounts function to ensure that both generatorStakeAmount and validatorStakeAmount cannot be set to zero. This can be done using the following validation:

function setStakeAmounts(uint256 _generatorStakeAmount, uint256 _validatorStakeAmount) public onlyOwner {

require(_generatorStakeAmount > 0, "Generator stake amount must be greater than zero");

require(_validatorStakeAmount > 0, "Validator stake amount must be greater than zero");

generatorStakeAmount = _generatorStakeAmount;

validatorStakeAmount = _validatorStakeAmount;

}

Enhance User Management Logic: Review and potentially redesign the registration and unregistration logic to ensure that it is robust against manipulation and allows for effective management of oracle registrations.

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.