Minato7namikazi - Inconsistent Handling of Zero Standard Deviation in `rewards_internal.go`

[sherlock-admin3]

Minato7namikazi

High

Inconsistent Handling of Zero Standard Deviation in rewards_internal.go

Vulnerability Detail

In the GetMappingFunctionValues function, there's an issue with how the code handles situations where the standard deviation (stdDev) of the latestTimeStepsScores is less than epsilon (or zero).

The problematic section is:

if stdDev.Lt(epsilon) {
    // ... return the plain value 1 for everybody ...
}

In this case, the function returns an array filled with alloraMath.OneDec(), essentially assigning the same score to every worker. However, this doesn't accurately reflect the formula in the comment:

M(T) = φ_p (abs[ T / σ(T) + ɛ])

If stdDev is zero (or very close to zero), the division T / σ(T) becomes undefined or extremely large, leading to a result that doesn't align with the intended mapping.

Consequences

This can skew the reward calculations significantly, as the mapping function values won't be accurately reflecting the worker scores relative to the standard deviation. This can lead to:

• Unfair Rewards: Workers might receive disproportionately high or low rewards compared to their actual performance.
• Disincentivizing Improvement: If workers see that their efforts don't result in meaningful reward differences, it can demotivate them from striving to improve.

The Fix: Correct Mapping Function Calculation

To address this, we need to modify the GetMappingFunctionValues function to handle the case of low or zero standard deviation more gracefully.

Code Snippet

https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/x/emissions/module/rewards/rewards_internal.go#L54

Tool used

Manual Review

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

Code snippets (stdDev.Lt(epsilon) and M(T) = φ_p (abs[ T / σ(T) + ɛ])) given can't be found in rewards_internal.go