MarketFactory.sol#encodeRealityQuestionWithOutcomes() - lack of outcome string validation could allow on-chain gaming of the upcoming answer

[hats-bug-reporter[bot]]

Github username: @PlamenTSV Twitter username: @p_tsanev Submission hash (on-chain): 0xc996c302876d0bf05cab6dea82ba14611e429b8a82b85d34e28d17c41914b710 Severity: low

Description: Description\ The encodeRealityQuestionWithOutcomes function is used in Categorial markets as to concatenate the outcomes of the market with the question, category and language. The correct and expected flow of the contract would expect each outcome string to contain a single accurate outcome, e.g to the question "What color will the limited edition car be?" we expect an outcome array like ["red", "blue", "black"]. However the contract allows us to pass any outcome string without validation. This is usually fine since front-end users would know incorrect strings cannot be the answer. However a string can be made to mimic the encoding and when hashing, be manipulated into looking like 2 different outcomes stored into 1 string.

Attack Scenario\ The encodeRealityQuestionWithOutcomes first encodes the first outcome like so: bytes memory encodedOutcomes = abi.encodePacked('"', outcomes[0], '"') and then loops over all other outcomes and concatenates them like abi.encodePacked(encodedOutcomes, ',"', outcomes[i], '"'). This form of concatenation theoretically could allow us to craft an outcome string in the form outcome1","outcome2, which when concatenated with the rest of the set would replicate 2 separate outcomes. Such string manipulation could even allow a malicious market maker to create a market with 1 outcome, containing an X amount of legitimate outcomes, meaning that it's guaranteed that, on-chain, the answer would be invalid..

Recommendation\ Even though such an issue could be mitigated, it can only be done externally/manually, so such lack of string validation would adhere to Low severity. Also, the deployment of such markets is instant and in case of short time windows between deployment and question resolution, there may not be enough time to even properly manually verify such markets. A way to mitigate this could be to create a mask and use bitwise operations to disallow strings using ",", which is the set of characters that lead to the replication.

[clesaege]

As per competition rules, are excluded:

• Issues about being able to create misleading markets (ex: misleading question, wrong name for outcomes, etc) as those will not get verified on Curate (https://curate.kleros.io/). We assume the curation mechanism is working perfectly.
• Issues about being able to create malicious markets (for example, you can create markets without using the MarketFactory with a malicious arbitrator, create child markets to it) as long as this wouldn't result in those being displayed in the interface looking like a normal markets (if a child market of a malicious market is displayed, but points to some market which is not displayed, cannot be interacted with or is labelled as problematic, we consider it fine as it would not get verified on Curate).