UNPKG

@reality.eth/contracts

Version:

Collection of smart contracts for the Realitio fact verification platform

reality.eth.link

RealityETH/monorepo

52 lines (40 loc) 2.61 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Exported by Edmund Edgar from original document at docs/Audit_Reality_v3_202108.pdf Reality 3.0 / August 2021 Files in scope https://github.com/RealityETH/monorepo/blob/064855bfd8c80a0bcf3da7b73936ce477e99b635/packages/contracts/development/contracts/RealityETH-3.0.sol https://github.com/RealityETH/monorepo/blob/064855bfd8c80a0bcf3da7b73936ce477e99b635/packages/contracts/development/contracts/RealityETH_ERC20- 3.0.sol Current status All issues have been fixed by the developer. There are no know issues in https://github.com/RealityETH/monorepo/blob/e4584d7cf6ab2d9a5b129bd970b7d4517811ae6a. 1 G0 GROUP // Reality 3.0 / August 2021Issues 1. Incorrect bond payout on UNRESOLVED_ANSWER type: faulty implementation / severity: medium When last answer is unrevealed and best answer is UNRESOLVED_ANSWER, the bond from the unrevealed answer will be paid to address(0) instead of to the winner which would we be the case if the best answer wasn’t an UNRESOLVED_ANSWER. status - fixed Issue has been fixed and is no longer present in https://github.com/RealityETH/monorepo/blob/e4584d7cf6ab2d9a5b129bd970b7d4517811ae6a 2. Arbitration can be initiated even with no valid answer, resulting in premature finalisation after the arbitration is cancelled type: security / severity: medium Arbitration can be initiated after an answer commitment is posted, even if no revealed answers have been posted, after this arbitration is cancelled the question will be finalised after finalize_ts seconds, even though no answer has been provided. In results all bonds will be paid out to address(0), bounty will become unretrievable and best_answer will be set to 0. status - fixed Issue has been fixed and is no longer present in https://github.com/RealityETH/monorepo/blob/e4584d7cf6ab2d9a5b129bd970b7d4517811ae6a 3. answer_takeover_fee credited to second answer depends on the way answers are processed type: security / severity: medium In claimWinnings answer_takeover_fee is inconsistently calculated, it is being subtracted from bounty if the winning answer and second best answer are processed in one go, but if they are processed separately, the whole bounty amount is reserved for the winner and can’t by used for the fee. status - fixed Issue has been fixed and is no longer present in https://github.com/RealityETH/monorepo/blob/e4584d7cf6ab2d9a5b129bd970b7d4517811ae6a 2 G0 GROUP // Reality 3.0 / August 2021Notes RealityETH_ERC20-3.0.sol should not be used with ERC20-like token contracts that implement callbacks like ERC777 due to potential re- entrancy issues. 3 G0 GROUP // Reality 3.0 / August 2021