Description:Description\
The function createNewMarketParams creates a market and generates a questionId using keccak256 hashing based on various market parameters. The current implementation of the questionId generation uses keccak256 to hash the parameters that will later be used in RealityProxy.resolve(). The intention is to ensure that only markets with the exact same parameters as the original one can be resolved. However, the lack of a unique identifier, such as a market ID or timestamp, may allow an attacker to reuse the same inputs and replay the questionId across different markets.
Furthermore there is no check for duplicate questionIdAttack Scenario\
An attacker creates a market (Market A) with specific parameters, generating a unique questionId.
The attacker later creates a second market (Market B) with identical parameters, generating the same questionId as Market A.
By exploiting this duplication, the attacker may trick the resolution system into resolving Market B incorrectly, or manipulate other aspects of the market resolution based on the replayed questionId.
This issue could lead to replay attacks, where an attacker could duplicate an already resolved market by reusing the questionId of the original market, potentially resulting in fraudulent market outcomes or manipulation of market resolution.
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Incorporate a unique market identifier such as a marketId, nonce, or block.timestamp into the hash used to generate questionId. This will ensure that each market has a unique questionId even when other parameters remain identical
Github username: -- Twitter username: -- Submission hash (on-chain): 0xc711f992527968d6c89d7f3104a04f9ec2fb0dd0089ce200a5f989d15e4d60b1 Severity: high
Description: Description\ The function
createNewMarketParams
creates a market and generates aquestionId
using keccak256 hashing based on various market parameters. The current implementation of thequestionId
generation uses keccak256 to hash the parameters that will later be used inRealityProxy.resolve()
. The intention is to ensure that only markets with the exact same parameters as the original one can be resolved. However, the lack of a unique identifier, such as a market ID or timestamp, may allow an attacker to reuse the same inputs and replay thequestionId
across different markets.Furthermore there is no check for duplicate
questionId
Attack Scenario\questionId
.questionId
as Market A.questionId
.This issue could lead to replay attacks, where an attacker could duplicate an already resolved market by reusing the
questionId
of the original market, potentially resulting in fraudulent market outcomes or manipulation of market resolution.Attachments
Proof of Concept (PoC) File
Revised Code File (Optional) Incorporate a unique market identifier such as a
marketId
,nonce
, orblock.timestamp
into the hash used to generatequestionId
. This will ensure that each market has a uniquequestionId
even when other parameters remain identical