search

hats-finance / SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7

1 stars 0 forks source link

Resolve function missing access control #35

Open hats-bug-reporter[bot] opened 1 month ago

hats-bug-reporter[bot] commented 1 month ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x3042e2237782830148e5ccffedd66c5158d7ec707a9d551333a30781fe591209 Severity: high

Description: Description\

Market resolve missing access control

  /// @dev Helper function to resolve the market.
    function resolve() external {
        realityProxy.resolve(this);
    }

Once the issue is resolved, the Market#resolve is not callable and revert.

  function resolveScalarMarket(
        bytes32 questionId,
        bytes32[] memory questionsIds,
        uint256 low,
        uint256 high
    ) internal {
        uint256 answer = uint256(realitio.resultForOnceSettled(questionsIds[0]));
        uint256[] memory payouts = new uint256[](3);

        if (answer == uint256(INVALID_RESULT)) {
            // the last outcome is INVALID_RESULT.
            payouts[2] = 1;
        } else if (answer <= low) {
            payouts[0] = 1;
        } else if (answer >= high) {
            payouts[1] = 1;
        } else {
            payouts[0] = high - answer;
            payouts[1] = answer - low;
        }

        conditionalTokens.reportPayouts(questionId, payouts);
    }

because the question id is already reported to conditional token.

combining with the fact that user can create a malicious market to resolve and report incorrectly payout because the report payout only has question id parameter,

yet a malicious market may have the same question id, as the valid one.

Attack Scenario\ Describe how the vulnerability can be exploited.

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional)

JeffCX commented 1 month ago 
contract MaliciousMarket {

    function questionIds() {
        bytes[] memory questionIds = new bytes[](1);
        questionIds[0] = bytes("will there be another dispute");
        return questionsId();
    }

    function numOutComes() {
        return 10;
    }

    function low() {
        return 1;
    }

    function high() {
        return 2;
    }
}
clesaege commented 1 month ago

You can create malicious markets, but if you resolve them, you will not end up to the questionId of a correct market as all market params are used in the hash creating the questionId.

clesaege commented 1 month ago

Note that you could copy a valid market, but then all you'd be doing would just be resolving a valid market correctly.