Open hats-bug-reporter[bot] opened 3 weeks ago
Be aware that while I give example of categorical market
, this affects all markets.
realitio.setQuestionFee
must be called by 0x29F39dE98D750eb77b5FAfb31B2837f079FcE222
itself (aka RealitioHomeArbitrationProxy
), and the contract doesn't have a function to do it
Good point, I missed that.
On which chain(s) this will be deployed and could you list me the corresponding arbitrator
contract on each chain?
Yeah, the proxy can't do it and the arbitrator is trusted. If the arbitrator were to be compromised, the main issue would not be not to be able to create new markets but for the arbitrator to report wrong results. Note that the arbitrator is a decentralized system operating without bugs for 6 years, so it should be pretty safe.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xaf56c62c95bf3b08112c0eabb0fb0789581b56385ba8db8ce64d7bd99b83624e Severity: high
Description:
Context
The current flow when creating a categorical market is as follow:
Sample deployment Gnosis Chain
MarketFactory has an
arbitrator
field which is set to0x29F39dE98D750eb77b5FAfb31B2837f079FcE222
which seem to beKrelos
, which we can assume would be the same for real deployement. This field is immutable in the contract, so can't be changed in the future.Impact
Kleros contract is NOT controlled by Seer team, and as such, at any moment they can decide to call
realitio.setQuestionFee
to set a bounty to protect against spam, which wouldeffectivelly DOS the Seer app
, as not able to create market anymore, it would always revert as Seer is not providing any bounty when creating markets (questions).Here we can see where Kleros can freely call this any time they desire in Realitio.
Here we can see the exact location in the creation market where is the problematic situation.
Recommendation
Refactor to include a bounty in your contracts and pass it along to Realitio