Open hats-bug-reporter[bot] opened 2 months ago
Which leads to the answer being read and a malicious user buying the tokens of the correct option in order to profit since he knows the outcome
Liquidity providers are responsible for removing the liquidity once the outcome is known.
This is not a problem in the Seer system, it is front-running an answer coming from the arbitrator. In case of a wider known event you could easily just stockpile on the correct answer via other external means other than front-running the mempool.
Answers are known (with a pretty good %) even before the arbitrator calls reality. Liquidity providers should remove liquidity before the answer is known (and in the future, we'll have mix AMM-auction systems).
Github username: -- Twitter username: -- Submission hash (on-chain): 0x9bd66c162b0de1235270393429f06c3715d7fa8084f92d3ae4ba5ab922a40111 Severity: medium
Description: Description\
The
answer
which determines which one of the outcomes is correct is provided by the RealityETH, which is called by the oracle when callingRealityProxy
’s resolveMarket function. Although, theanswer
isn’t submitted on-chain at the same transaction that the market resolution is called by the oracle. Which leads to theanswer
being read and a malicious user buying the tokens of the correct option in order to profit since he knows the outcome. The issue leads to the seer prediction market being predictable, and not meritocratic.P.S. the exploit can be done by either front-running the call of the oracle to market resolution, or by back-running the arbitrator’s call to
submitAnswerByArbitrator
.The issue can be resolved by halting the transferring of conditional tokens of the market, that the arbitrator can call
submitAnswerByArbitrator
to, which means that thequestion_id
isis_pending_arbitration
. That could be done by having a check in the_transfer
of theWrapped1155
.