Skip to content

Latest commit

 

History

History
76 lines (52 loc) · 2.73 KB

059.md

File metadata and controls

76 lines (52 loc) · 2.73 KB

Decent Currant Halibut

Medium

ReputationMarket::_createMarket() No Check on Maximum Liquidity Parameter from marketConfigs

Summary

The ReputationMarket::_createMarket() function lacks a check for the maximum allowed value of the liquidityParameter from marketConfigs. This absence could lead to markets being created with excessively high liquidity parameters, potentially causing issues with market stability or and susceptible to gaming by large whales who influence the sentiment requiring inordinate amounts of capital to influence market prices.

https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L318

Root Cause

function _createMarket(
    uint256 profileId,
    address recipient,
    uint256 marketConfigIndex
  ) private nonReentrant {
    // ... 
    markets[profileId].liquidityParameter = marketConfigs[marketConfigIndex].liquidity;
    // ...
}

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

No response

Impact

Real user sentiment is not accurately reflected: Extremely high liquidity parameters could make markets not reflect the true sentiments of users, requiring vast sums of votes to change prices, which might not reflect the intended market dynamics or participant engagement.

Economic Inefficiency: High liquidity could lead to scenarios where the capital needed to influence market outcomes is impractical, reducing market activity or making it less responsive to actual sentiment changes. Misallocation of Resources: If the liquidity is set too high, it might lock up more funds than necessary for market operation, potentially misallocating resources that could be used elsewhere.

PoC

No response

Mitigation

Introduce a maximum liquidity check in the _createMarket function:

function _createMarket(
    uint256 profileId,
    address recipient,
    uint256 marketConfigIndex
  ) private nonReentrant {
    // Ensure the specified config option is valid
    if (marketConfigIndex >= marketConfigs.length)
      revert InvalidMarketConfigOption("Invalid config index");

    // Check for minimum liquidity (if not already done)
    if (marketConfigs[marketConfigIndex].liquidity < 100) {
        revert InvalidMarketConfigOption("Liquidity below minimum for LMSR");
    }

    // Add check for maximum liquidity
    if (marketConfigs[marketConfigIndex].liquidity > MAX_LIQUIDITY_PARAMETER) {
        revert InvalidMarketConfigOption("Liquidity exceeds maximum for market stability");
    }

    // ... rest of the function ...
}