Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

LLMOracleCoordinator::withdrawPlatformFees withdraw absolutely all tokens even those that are needed to pay fees for current taskId

Sickurity

Summary

The LLMOracleCoordinator contract works as follows.

Each request creates a task. Each task has three states - PendingGeneration, PendingValidation, Completed.

When creating a task, the creator enters a commission. validatorFee for all validator ratings, generatorFee for all generation of response to request, platformFee.

After the end of all stages - in general, the following situation occurs.

Generators with the best responses are given approve on generatorFee
validators with the best scores are given approve. on validationFee
.
Since the user pays for all generation and validation, some of the funds remain unnecessary.

Now consider the withdrawal function for the owner.

function withdrawPlatformFees() public onlyOwner {

feeToken.transfer(owner(), feeToken.balanceOf(address(this)));

}

This function simply removes all funds from the contract.

This approach certainly allows for proper consideration of protocolFee and the balance of commissions described in paragraph 3, but it completely violates paragraphs 1 and 2 because now the validators and generators have only allowances on tokens, but there is no actual ability to issue them until the new tokens appear on the contract.

Vulnerability Details

In the absolutely unfair conditions will be the validators/ generators in the following cases.

If the validator/generator does not immediately remove its in the same transaction, access to its means may be blocked in the future due to such a mechanism of withdrawal for owners.

Moreover, if he does withdraw the funds, he will block for a time the possibility of withdrawal for other validators.
If owner displays rewards when there is a taskId that is not yet completed - then the validators/generators of such taskId will not receive their rewards, because they will display them as owner.

Impact

If owner displays rewards when there is a taskId that is not yet completed - then the validators/generators of such taskId will not receive their rewards, because they will display them as owner.

Severity: High

Tools Used

Manual Review

Recommendations

Fix withdraw mechanism. Add counters for owner share in total contract balance.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`withdrawPlatformFees` withdraws the entire balance

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.