An adversary is able to extract the value by creating an identical market, but with different finalization time.

[hats-bug-reporter]

Github username: @Rassska
Twitter username: m_Rassska
Submission hash (on-chain): 0x2af608995e56e59bedc52897b80e6b7a646f814436b166de2c8562e1c02cc465
Severity: high

Description:

Description

• Upon the market creation, ERC20 tokens are deployed respresenting an exact outcome. A bytecode tied to a certain outcome depends on tokenID which itself depends on:

  • collateralToken
  • collectionID

• This means that there's a possibility to front-run the market creation by changing only openingTime, which results in having the same tokenID for each outcome for both markets within Seer, but on reality, we'll have 2 different questions with openingTime being deviated from each other.

Attack Scenario

• Someone creates a categorial market X representing a chess match with a valid openingTime(in 2 hours should be resolved)
• An adversary sees it, and creates an identical market Y on Seer, which itself creates another question on reality.eth, but with openingTime specified as delta < X.openingTime.
• Since the erc20 tokens deployed for outcomes are the same, an adversary can finalize his market with a desired outcome receiving his collateral back and sells other outcomes on amm.
• As a result, he's able to extract free-risk value.

Mitigation Steps

• There should not be cases, where two different question_ids on reality.eth having the same erc20 positions deployed.

[Rassska]

Mitigation Steps addition

The Seer has to be sure that:

• question_id(reality) is tied to ERC20 outcomes deployed
  But currently it's:
• tokenId(which doesn't include openingTime) -> ERC20 outcome

[greenlucid]

tokenId relies on collectionId, which relies on conditionId

SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/contracts/src/MarketFactory.sol

Line 425 in 4e56254

uint256 tokenId = conditionalTokens.getPositionId(collateralToken, collectionId);

conditionId relies on questionId

SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/contracts/src/MarketFactory.sol

Line 302 in 4e56254

deployERC20Positions(parentCollectionId, conditionId, config.outcomeSlotCount, params.tokenNames);

questionId is a bytes32 created for internal use, and relies on questionIds

SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/contracts/src/MarketFactory.sol

Line 296 in 4e56254

bytes32 questionId = keccak256(

questionIds array is filled with the reality.eth ids, that are reliant on the openingTime

SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/contracts/src/MarketFactory.sol

Line 292 in 4e56254

askRealityQuestion(config.encodedQuestions[i], config.templateId, params.openingTime, params.minBond);

So, how can you create two tokens with the same id, with different openingTimes?

Proof of Concept or you made it up

[clesaege]

As pointed out by @greenlucid, the collectionId would be different. If you still think the issue is correct, you can show a test.