Open hats-bug-reporter[bot] opened 1 month ago
In that case I think the attacker is DoSsing himself by calling a function with fake values, but you need to explain how a third party can be affected by this manipulation
@xyzseer Of course, I will explain. Its not affecting just the attacker.
Attack Scenario:
Will Joe Biden become president?
)If Joe Biden becomes president who will be the VP?
)
conditionId()
of the Y market during the creation so the parentCollectionId
in createNewMarketParams()
is referring to an actual market X, so we can execute the new creation of market Y.Router.sol
for that Conditional Market Y can arbitrary be affected by the call to the malicious parentMarket address, which only happens via market.parentWrappedOutcome();
, as it calls a function on the parentMarket contract
- code_snippet This can result in data manipulation for the returned wrapped1155 potentially returning one for different possible outcome, or DoS.Users who use the Router.sol for that Conditional Market Y
Here, as you state yourself, doesn't affect users of legit markets. This malicious Y market would never get verified on curate.
As per contest rules are excluded:
@clesaege, glad that you mentioned that. Actually, it is perfectly referring to the case where we have a market that looks perfectly legitimate.
if a child market of a malicious market is displayed, but points to some market which is not displayed, cannot be interacted with or is labelled as problematic, we consider it fine as it would not get verified on Curate
as long as this wouldn't result in those being displayed in the interface looking like a normal markets
This would indeed be displayed as a normal market because the Conditional Market Y would be created via the MarketFactory. Maybe it’s bad wording on my part labeling it as malicious.
The parentMarket, which the attacker would set, would actually refer to a legitimate market X that’s already deployed from the MarketFactory, as the parentMarket can return actual, legitimate data of an existing market that was also created via the MarketFactory.
Someone has already created a market X ( Will Joe Biden become president? )
Only in the case where it’s called during split/redeem/merge we could conditionally manipulate the outcome to have different behavior.
Can you provide a practical example of such conditional manipulation?
@xyzseer
Can you provide a practical example of such conditional manipulation?
Yes, of course. I will get back to you with PoC
@MrValioBg
the Conditional Market Y would be created via the MarketFactory
legitimate market X that’s already deployed from the MarketFactory
Then both markets are created by the factory and there is no issue.
My understanding is that you are reporting exactly what we were expecting people to report when we wrote the exclusion.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xfd91e80b22698c2ce686de57d4b5b195ab2a1255af06c311ff53276f9b02b917 Severity: high
Description:
Summary
Parent Market can be set to arbitrary address, since its not verified that it was deployed by MarketFactory, which can lead to manipulations of data.
Vulnerability Details
We don't have validation if this parentMarket address actually exist in the
markets[]
inMarketFactory.sol
we directly call it to retrieve itsparentCollectionId()
andconditionId()
and then set it as the parentMarket address for the conditional market we are creating.This means that we can basically return arbitrary data for all of the functions of that parent market. We could do a lot of manipulations such as tricking people that the parentCollectionId is actually referring to an actual existing market ( we can do that as we can return arbitrary data that can build legit parentCollectionId)
wrappedOutcome
, asparentWrappedOutcome()
calls our badparentMarket contract
.Additionally s a malicious outcomes we have other possible cases. Since parentWrappedOutcome() is called in _splitPosition(), _mergePositions() and _redeemPositions() we could exhaust the gas from the transaction, since an arbitrary call was just made to our
parentMarket contract
, leading to DoS and excessive gas charges for the user.This can prevent users from redeeming/splitting/merging their position via the Router.
Recommendation
In
createNewMarketParams()
if the parentMarket is notaddress(0)
verify that it exists in theaddress[] public markets;
You may have to convert the market array to a mapping, so we avoid looping.For example if we create a mapping
isMarket