Markets with low amount of liquidity being traded might be exploited by whales

[hats-bug-reporter[bot]]

Github username: @Rassska Twitter username: m_Rassska Submission hash (on-chain): 0x95b8b57b0bd879a451debd8d4e1fe92743a8ff3f052cc44bab800a3355d7ee43 Severity: medium

Description: Description

• Currently, the Seer relies on reality.eth for resolving the market outcomes. Reality itself allows to anyone to provide an answer for the question, if sufficient bond was provided. Upon finalizing the market, reality takes the last answer as a truth and the market could be resolved based on that answer.

• If the users think that the answer was not correctly delivered, they have an option to open a dispute so that the arbitrator can step in. In order to do that, they have to pay a certain fee to the arbitration committee. However, the problem might erise, when it's not economically worth to open a dispute.

Attack Scenario

• Imagine the following scenario taking place:
  • Bob created a market dedicated to a chess match between Magnus and Ian.
  • Users start to put the collateral and mint outcome tokens:
  • ["Magnus will win"]
  • ["Ian will win"]
  • ["Invalid result/draw"]
  • Some users trade their options to make a profit if their bet-option becomes an answer
  • The match comes to the end and Magnus's is winning, however, somebody who has a high stake on Ian decided to submit a second answer as a truth.
  • Other users holding ["Magnus will win"] options are not economically incentivized to open dispute or provide an answer to reality, since both options cost more than they have under a stake.
  • As a result, users who hold little positions will be exploited by a whale.

Mitigation Steps

• Integrate an additional oracle backed by DAO to resolve such disputes for the markets with low liquidity.

[greenlucid]

Those malicious whales would be creating a big target for honest whales (or honest regular associated actors) to contest it, the liquidity of the markets is not the only incentive to fix bad answers

[Rassska]

the liquidity of the markets is not the only incentive to fix bad answers

Yes, i do agree, but how to prevent someone from being malicious on a protocol level? Would you pay >0.5 eth to Kleros or 0.4eth(as a bond to post an answer) to save your $100 winnings? Nah, you wouldn't. Now imagine dozens of users with small bets without being able to correct the answer. Anyways, would love to get the feedback and propose a solution to prevent this behaviour on-chain.

Thanks! @greenlucid

[greenlucid]

Would you pay >0.5 eth to Kleros or 0.4eth(as a bond to post an answer) to save your $100 winnings? Nah, you wouldn't.

the attacker has put 0.2 eth as bond. so if I put 0.4 eth and I win, I make 0.2 eth + my 100$ winnings. if attacker doubles again, I take it to kleros

also read Out of Scope:

Issues about reality.eth + Kleros (see https://reality.eth.link/app/ & https://court.kleros.io/) misresolving questions. We assume that wrong answers on reality are always corrected (by doubling the bond or creating a dispute).

Thanks! @Rassska

[clesaege]

Yeah, I think the confusion there is between cost and budget. The bond is a budget requirement, not a cost requirement. You don't lose it. So for any wrong answer, someone can double the bond and will get as a reward 50% of is budget. This already happened in practice in another prediction market using Kleros + reality (in the Kleros covid case, where despite a smaller market, we had way more money in bonds).

Per competition rules, are excluded:

• Issues about reality.eth + Kleros (see https://reality.eth.link/app/ & https://court.kleros.io/) misresolving questions. We assume that wrong answers on reality are always corrected (by doubling the bond or creating a dispute). We also assume that all disputes are given the correct ruling. We assume that there are always honest parties with enough capital to put bonds, pay arbitration and appeal fees. We also assume that honest actors always do those actions in time.