Description:Description\
To resolve a Multi Scalar Market resolveMultiScalarMarket() is called. Which compares the results and set result as invalid if allZeroesOrInvalid is True. But it's not handled properly.
Attack Scenario\
If all the results are invalid then the market should resolve to invalid. But the value of allZeroesOrInvalid instead relies on the last element. If the last element is valid then the allZeroesOrInvalid is false otherwise it is true and the next check sets the whole market as invalid.
Recommendation\
The check allZeroesOrInvalid want to ensure if one of the underlying results are valid so modify the check as below.
for (uint256 i = 0; i < numOutcomes; i++) {
payouts[i] = uint256(realitio.resultForOnceSettled(questionsIds[i]));
if (payouts[i] == uint256(INVALID_RESULT)) {
payouts[i] = 0;
} else if (payouts[i] > maxPayout) {
payouts[i] = maxPayout;
}
if(allZeroesOrInvalid) {
allZeroesOrInvalid = allZeroesOrInvalid && payouts[i] == 0;
}
}
Github username: @cpp-phoenix Twitter username: 0xrochimaru Submission hash (on-chain): 0x7570d50e8215999f2e3e40019e3df7d03fcaed217267f0047a91ff889da4d872 Severity: high
Description: Description\ To resolve a Multi Scalar Market
resolveMultiScalarMarket()
is called. Which compares the results and set result as invalid if allZeroesOrInvalid is True. But it's not handled properly.https://github.com/hats-finance/SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/blob/6e5db716e44e251fcee6abd7c1f6a8d6e36db910/contracts/src/RealityProxy.sol#L172C8-L187C10
Attack Scenario\ If all the results are invalid then the market should resolve to invalid. But the value of allZeroesOrInvalid instead relies on the last element. If the last element is valid then the allZeroesOrInvalid is false otherwise it is true and the next check sets the whole market as invalid.
Recommendation\ The check allZeroesOrInvalid want to ensure if one of the underlying results are valid so modify the check as below.