search

sherlock-audit / 2024-06-allora-judging

0 stars 0 forks source link

volodya - forecast-implied inferences can be set to any value due to ForecastElements is not filtered by duplicate. #12

Open sherlock-admin4 opened 2 months ago

sherlock-admin4 commented 2 months ago

volodya

High

forecast-implied inferences can be set to any value due to ForecastElements is not filtered by duplicate.

Summary

forecast-implied inferences can be set to any value due to ForecastElements is not filtered by duplicate.

Vulnerability Detail

The function InsertBulkWorkerPayload doesn't have any authentication. There is no validation for duplicates inside the input variable workerDataBundle.InferenceForecastsBundle.Forecast.ForecastElements

            for _, el := range forecast.ForecastElements {
                if _, ok := acceptedInferersOfBatch[el.Inferer]; ok {
                    acceptedForecastElements = append(acceptedForecastElements, el)
                }
            }

            // Discard if empty
            if len(acceptedForecastElements) == 0 {
                continue
            }

msg_server_worker_payload.go#L164

.ForecastElements is being used inside CalcForecastImpliedInferences to calculate forecast-implied inference value.

Impact

forecastValue can be set to any value due to duplication

Code Snippet

Tool used

Manual Review

Recommendation

Filter out duplicates inside workerDataBundle.InferenceForecastsBundle.Forecast.ForecastElements inside verifyAndInsertForecastsFromTopForecasters before saving via ms.k.InsertForecasts(

sherlock-admin2 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

forecastValue can be set to any value due to duplication

sherlock-admin2 commented 2 months ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/allora-network/allora-chain/pull/449