search

hats-finance / SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7

1 stars 0 forks source link

Market resolve missing access control #41

Open hats-bug-reporter[bot] opened 4 hours ago

hats-bug-reporter[bot] commented 4 hours ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x22251086f5d9798a623d63ef84017a7b2c18413a73c834dab8bcee6b24e8eff5 Severity: high

Description: Description\

Market resolve missing access control

  /// @dev Helper function to resolve the market.
    function resolve() external {
        realityProxy.resolve(this);
    }

Once the issue is resolved, the Market#resolve is not callable and revert.

  function resolveScalarMarket(
        bytes32 questionId,
        bytes32[] memory questionsIds,
        uint256 low,
        uint256 high
    ) internal {
        uint256 answer = uint256(realitio.resultForOnceSettled(questionsIds[0]));
        uint256[] memory payouts = new uint256[](3);

        if (answer == uint256(INVALID_RESULT)) {
            // the last outcome is INVALID_RESULT.
            payouts[2] = 1;
        } else if (answer <= low) {
            payouts[0] = 1;
        } else if (answer >= high) {
            payouts[1] = 1;
        } else {
            payouts[0] = high - answer;
            payouts[1] = answer - low;
        }

        conditionalTokens.reportPayouts(questionId, payouts);
    }

because the question id is already reported to conditional token.

combining with the fact that user can create a malicious market to resolve and report incorrectly payout because the report payout only has question id parameter,

yet a malicious market may have the same question id, as the valid one.


contract MaliciousMarket {

    function questionIds() {
        bytes[] memory questionIds = new bytes[](1);
        questionIds[0] = bytes("will there be another dispute");
        return questionsId();
    }

    function numOutComes() {
        return 10;
    }

    function low() {
        return 1;
    }

    function high() {
        return 2;
    }
}

Attack Scenario\ Describe how the vulnerability can be exploited.

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional)

greenlucid commented 28 minutes ago

You mixed up the questionId that identifies the Conditional Token, with the questionIds[0] that resolves the Categorical, MultiCategorical or Scalar Market. The CT questionId comes from hashing the questionIds, which will only be consulted on realitio.

https://github.com/hats-finance/SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/blob/4e56254cbd071b6f678a108ccdb8660951636d27/contracts/src/MarketFactory.sol#L295