Dria

Summary

This allows a buyer to pay fees for generation and validation services but leaves them vulnerable to delays beyond their control, as the buyer depends on timely outputs from external generators and validators

Vulnerability Details

During buy phase, the owner of BuyerAgent can make an oraclePurchaseRequest.
Buyer has to wait for generators and validators to finish their validation and return an output before they can call purchase.

The issue is, even though buyer has paid for the necessary fees(platform, generation and validation fees), buyer has no control over when the scores will be available, and there is no guarantee that they would be available before that buy phase ends.

But purchase requires that it is called in the same round and phase as when the purchase request was made:

There are many factors that can cause delayed finalization of validations:

1. numGenerations and numValidations is very high. We can't call this the BuyerAgent mistake, cos he has already paid for the numGenerations and numValidations he is setting.

2. Error occurs when trying to finalizeValidation

3. difficulty is high and there are issues in finding the right nonce

Note that generator and validator gets paid even if they submit the response after the current phase/round.

As there is no refund mechanism for the buyerAgent, BuyerAgent:

• pays fees for generation and validation

• waits indefinitely, and is at the mercy of generators and validators to return the output before the Buy phase ends

• if the output does not get returned before the phase ends, BuyerAgent does not get a refund. So he paid money for nothing

Impact

This creates a significant issue for the buyer due to the lack of control and assurance in the timing of delivery of outputs, which can ultimately result in lost funds(in form of fees) without any guarantee of service delivery

Tools Used

Manual Review

Recommendations

Within BuyerAgent, owner should be allowed to specify the round he wants to make a purchase for.