Open code423n4 opened 3 years ago
This doesn't appear to be a problem with the code. There are warnings on the frontend. There is some quality control in the way markets are created by allowing governors to approve them and the question specifics must be clearly stated for the oracle. We have already had in a beta test the users disagree with the wording of an outcome and collectively invalidate the oracle thereby returning all rent paid to the users.
I'm going to let this one stand mostly to serve as an additional warning to users who take the time to read the audit report. I don't think there is any action to take beyond warnings on the frontend.
Handle
0xRajeev
Vulnerability details
Impact
Collusion and sybil attacks are general problems with blockchain-based prediction markets and voting systems.
Collusion between market creator and bidders, where the creator creates a niche prediction market for which only they know the outcome with a higher degree of probability (than others) and either spawn fake users (sybils) to increase the pot size and lure victims to add bids. Creator or its fake users maintain the longest duration on the winning outcome (which they know with greater certainty than others) thus winning that market’s outcome and taking the victim's rents (winner-take-all-mode).
Proof of Concept
https://en.wikipedia.org/wiki/Sybil_attack
Tools Used
Manual Analysis
Recommended Mitigation Steps
The general problem is hard to solve. Document and warn users suitably about risks involved.