Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of parameter sanitization on `setParameters` can cause the `onlyValidParameters` modifier to fail for all transactions in `LLMOracleManager.sol`

safdie

Summary

The setParameters function in the LLMOracleManager contract lacks proper validation to ensure that the minimum and maximum task parameters follow logical bounds. Specifically, the contract allows setting minimumParameters values higher than maximumParameters, which can cause the onlyValidParameters modifier to fail for all transactions. This flaw can disrupt the contract’s core functionality, effectively locking out user interactions or miscalculating parameters.

Vulnerability Details

The setParameters function allows the owner to update the bounds for parameters (e.g., difficulty, number of generations, number of validations) but lacks checks to ensure minimumParameters values are lower than or equal to the maximumParameters values. If minimumParameters is set to a higher value than maximumParameters, the onlyValidParameters modifier will revert all calls that attempt to interact with the contract, as the range validation will fail. This vulnerability disrupts the service and impacts all users interacting with the contract.

function setParameters(LLMOracleTaskParameters calldata minimums, LLMOracleTaskParameters calldata maximums)
public
onlyOwner
{
minimumParameters = minimums;
maximumParameters = maximums;
}

The above code does not validate that minimums values are less than or equal to maximums values, leading to potential misconfiguration.
To demonstrate the vulnerability, we can create a test where the owner sets minimumParameters to values that are greater than maximumParameters, causing the onlyValidParameters modifier to revert all parameter-based transactions.

const { expect } = require("chai");
describe("LLMOracleManager Vulnerability Test", function () {
let oracleManager, owner;
beforeEach(async function () {
const OracleManager = await ethers.getContractFactory("LLMOracleManager");
oracleManager = await upgrades.deployProxy(OracleManager, [10, 1, 1]);
[owner] = await ethers.getSigners();
});
it("should revert transactions if setParameters sets minimum > maximum", async function () {
// Set invalid parameters (minimum > maximum)
await oracleManager.setParameters(
{ difficulty: 10, numGenerations: 10, numValidations: 10 },
{ difficulty: 5, numGenerations: 5, numValidations: 5 }
);
// Attempt a valid transaction within normal bounds
await expect(
oracleManager.getFee({ difficulty: 5, numGenerations: 3, numValidations: 3 })
).to.be.revertedWith("InvalidParameterRange");
});
});

The test should output a revert error for InvalidParameterRange, confirming that the onlyValidParameters modifier is failing due to misconfigured parameters.

Impact

This vulnerability can lock users out of interacting with the contract if the parameters are set incorrectly. As all user transactions will revert due to the onlyValidParameters modifier, this could result in significant disruption to users and prevent the contract from functioning as intended.

Tools Used

Manual review.

Recommendations

To fix this issue, add validation checks in the setParameters function to ensure minimums are always less than or equal to maximums:

function setParameters(LLMOracleTaskParameters calldata minimums, LLMOracleTaskParameters calldata maximums)
public
onlyOwner
{
require(
minimums.difficulty <= maximums.difficulty &&
minimums.numGenerations <= maximums.numGenerations &&
minimums.numValidations <= maximums.numValidations,
"Minimums must be less than or equal to maximums"
);
minimumParameters = minimums;
maximumParameters = maximums;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.