search

hats-finance / SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7

1 stars 0 forks source link

Market resolve missing access control #41

Open hats-bug-reporter[bot] opened 1 month ago

hats-bug-reporter[bot] commented 1 month ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x22251086f5d9798a623d63ef84017a7b2c18413a73c834dab8bcee6b24e8eff5 Severity: high

Description: Description\

Market resolve missing access control

  /// @dev Helper function to resolve the market.
    function resolve() external {
        realityProxy.resolve(this);
    }

Once the issue is resolved, the Market#resolve is not callable and revert.

  function resolveScalarMarket(
        bytes32 questionId,
        bytes32[] memory questionsIds,
        uint256 low,
        uint256 high
    ) internal {
        uint256 answer = uint256(realitio.resultForOnceSettled(questionsIds[0]));
        uint256[] memory payouts = new uint256[](3);

        if (answer == uint256(INVALID_RESULT)) {
            // the last outcome is INVALID_RESULT.
            payouts[2] = 1;
        } else if (answer <= low) {
            payouts[0] = 1;
        } else if (answer >= high) {
            payouts[1] = 1;
        } else {
            payouts[0] = high - answer;
            payouts[1] = answer - low;
        }

        conditionalTokens.reportPayouts(questionId, payouts);
    }

because the question id is already reported to conditional token.

combining with the fact that user can create a malicious market to resolve and report incorrectly payout because the report payout only has question id parameter,

yet a malicious market may have the same question id, as the valid one.


contract MaliciousMarket {

    function questionIds() {
        bytes[] memory questionIds = new bytes[](1);
        questionIds[0] = bytes("will there be another dispute");
        return questionsId();
    }

    function numOutComes() {
        return 10;
    }

    function low() {
        return 1;
    }

    function high() {
        return 2;
    }
}

Attack Scenario\ Describe how the vulnerability can be exploited.

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional)

greenlucid commented 1 month ago

You mixed up the questionId that identifies the Conditional Token, with the questionIds[0] that resolves the Categorical, MultiCategorical or Scalar Market. The CT questionId comes from hashing the questionIds, which will only be consulted on realitio.

https://github.com/hats-finance/SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/blob/4e56254cbd071b6f678a108ccdb8660951636d27/contracts/src/MarketFactory.sol#L295

clesaege commented 1 month ago

Similar to https://github.com/hats-finance/SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/issues/35