Description

A ZKMLChallenge is one type of challenge that the Spectral protocol supports. The modelers are required to reply to a challenge, by essentially answering with their model's response. The respondToZKMLChallenge function thus allows the modeler to respond to a ZKMLChallenge by providing the IPFS response where their model's response has been uploaded.

function respondToZKMLChallenge(address _validator, string calldata _ipfsResponse) external {
    require(modelers[msg.sender].modelerSubmissionBlock != 0, "M not registered");
    require(isValidatorRegistered[_validator], "V not registered");
    DataTypes.ModelerChallenge memory zc = ZKMLChallenges[msg.sender];
    require(bytes(zc.ipfsChallenge).length > 0, "Challenge not found");
    zc.ipfsResponse = _ipfsResponse; // @audit-issue this is memory!!! storage won't update properly!!!!
    emit ZKMLChallengeResponse(_validator, msg.sender, _ipfsResponse);
} 

The function assures that the msg.sender is a registered modeler and would then store the user's response. The issue arises, however, due to the fact that the ZKMLCHallenges[msg.sender] object is referenced by memory instead of storage, so any update to it will not be persistent after the function call ends.

Impact

The user's ipfsResponse for the ZKML challenges will never actually be stored.

Recommendations

Change the type of zc to storage instead of memory to ensure that the changes are persistent.

function respondToZKMLChallenge(address _validator, string calldata _ipfsResponse) external {
    // ... 
-   DataTypes.ModelerChallenge memory zc = ZKMLChallenges[msg.sender];
+   DataTypes.ModelerChallenge storage zc = ZKMLChallenges[msg.sender];
    // ...
} 

Remediation

This issue has been acknowledged by Spectral Finance, and a fix was implemented in commit dd51d097↗.