No flash loan protection allows trash validators / generators to influence responses / grades
Summary
To register as a validator/generator you only need to deposit in LLMOracleRegistry contract. The key feature is that there is no time limit on the deposit - and it can be withdrawn in the same transaction as the deposit was made.
That is, any user does not cost anything just to register as a validator, influence the system’s operation, and immediately withdraw money.
There is no problem of deposit size, any flash loan without interest will allow the user to damage the system for free.
Vulnerability Details
Consider how a trash generator can damage the system.
Provide trash responses to the taskId.
If the taskID numOfValidations = 0, it just takes generatorFee for his trash response.
If the taskID is numOfValidations != 0 - then its trash response it will simply take the place of the current generator. (Number of generations per one taskId is limited)
Consider how a trash validator can damage the system.
Since the best method of averaging is chosen from all ratings, the trash ratings that will be displayed by the trash validator are present incorrect final evaluation.Because of the shift average. Also because of this some validators may not get validator fee.
Impact
Obviously not the best design choice - not adding timelock on deposit in LLMOracleRegistry, because of this root cause too many attacks can happen
Severity: High
Tools Used
Manual Review
Recommendations
Add timelock for generators/validators deposits and maybe penalty for trash actions.
Lead Judging Commences
There is no oracle whitelisting
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.