Invalid handling of allZeroesOrInvalid in resolveMultiScalarMarket()

[hats-bug-reporter[bot]]

Github username: @cpp-phoenix Twitter username: 0xrochimaru Submission hash (on-chain): 0x7570d50e8215999f2e3e40019e3df7d03fcaed217267f0047a91ff889da4d872 Severity: high

Description: Description\ To resolve a Multi Scalar Market resolveMultiScalarMarket() is called. Which compares the results and set result as invalid if allZeroesOrInvalid is True. But it's not handled properly.

https://github.com/hats-finance/SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/blob/6e5db716e44e251fcee6abd7c1f6a8d6e36db910/contracts/src/RealityProxy.sol#L172C8-L187C10

Attack Scenario\ If all the results are invalid then the market should resolve to invalid. But the value of allZeroesOrInvalid instead relies on the last element. If the last element is valid then the allZeroesOrInvalid is false otherwise it is true and the next check sets the whole market as invalid.

Recommendation\ The check allZeroesOrInvalid want to ensure if one of the underlying results are valid so modify the check as below.

for (uint256 i = 0; i < numOutcomes; i++) {
    payouts[i] = uint256(realitio.resultForOnceSettled(questionsIds[i]));

    if (payouts[i] == uint256(INVALID_RESULT)) {
        payouts[i] = 0;
    } else if (payouts[i] > maxPayout) {
        payouts[i] = maxPayout;
    }

    if(allZeroesOrInvalid) {
        allZeroesOrInvalid = allZeroesOrInvalid && payouts[i] == 0;
    }
}

[greenlucid]

Dupe #14

[clesaege]

Duplicate of https://github.com/hats-finance/SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/issues/14 It's now the 4th time this is reported.