39495 [SC-Low] flatcfm cannot be resolved in case answer of questionid are in greater or equal to 2 outcome count and answer 2 outcome count is 0
Was this helpful?
Was this helpful?
Submitted on Jan 31st 2025 at 07:22:46 UTC by @perseverance for
Report ID: #39495
Report Type: Smart Contract
Report severity: Low
Target: https://github.com/immunefi-team/audit-comp-butter-cfm-v1
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
Temporary freezing of funds for at least 1 hour
The FlatCFM can be resolved by getting the answer from RealityETH Oracle for the questionId. When the answer from RealityETH is finalized, anyone can call resolve() to resolve the FlatCFM. It is important that FlatCFM should be resolved so that users can redeem to get the collateral (money) back.
https://github.com/immunefi-team/audit-comp-butter-cfm-v1/blob/main/src/FlatCFM.sol#L58
The answer from RealityETH Oracle are submitted by anyone and the arbitrator if requested via the RealityETH Contract.
In the resolve() function, the contract taken into consideration the invalid case or the case answer is 0 then the FlatCFM is resolved as Invalid Position receive Full Payout.
In an edge case, if the answer is in greater or equal to 2^OUTCOME_COUNT and answer % 2^OUTCOME_COUNT is 0
In this case all the payouts[i] will be 0 .
In this case, the call to conditionalTokens.reportPayouts will be reverted because of errors "payout is all zeroes"
https://github.com/immunefi-team/audit-comp-butter-cfm-v1/blob/main/test/integration/vendor/gnosis/conditional-tokens-contracts/ConditionalTokens.sol#L101
Since the answer is provided by users and arbitration with different scenarios with different actors, although it might be rare situation but still it can happen that answer can be out of range as described above.
If this happened, then the FlatCFM cannot be resolved. Since the question answer might be already finalized when users or the project notice this error, then nothing can be done to provide to correct answer.
Since the FlatCFM is not resolved, then users cannot redeem to get back the token. It will be very complicated situation to handle.
It is better to take this scenario into consideration and prevent it now to avoid this situation. For these scenarios, the FlatCFM can be resolved as Invalid to receive full payout.
Impact of this bug report is that FlatCFM cannot be resolved then users cannot redeem to get back the token.
It might cause Temporary freezing of funds for at least 1 hours
To get back the money, users can merge the tokens, but it is complicated situation and will be difficult to handle since it is related to many users as the tokens are circulating.
Impact severity: at least High
But since this is an edge case, so the likelyhood of this issue might be Low.
In total , I think the bug report can be Medium or Low
I map it into the closet impact listed:
Contract fails to deliver promised returns, but doesn't lose value
But I believe that the severity can be at least Medium, but I let the project and Immunefi team to decide upon that.
https://gist.github.com/Perseverancesuccess2021/89d26594d88080b62121184be87ba7a0
Test code to show the bug
Explanation:
The OUTCOME_COUNT is 50
Set the answer is 2^50
Expect the call to resolve to revert with error: "payout is all zeroes"
Copy the test code into the Unit test:
https://github.com/immunefi-team/audit-comp-butter-cfm-v1/blob/main/test/unit/FlatCFM.t.sol
Also modify a bit the DummyConditionalTokens to behave like the real conditionalTokens
https://github.com/immunefi-team/audit-comp-butter-cfm-v1/blob/main/test/unit/dummy/ConditionalTokens.sol#L86-L88
After that, run the test
Test Log:
Replace https://github.com/immunefi-team/audit-comp-butter-cfm-v1/blob/main/test/unit/dummy/ConditionalTokens.sol
with
https://gist.github.com/Perseverancesuccess2021/89d26594d88080b62121184be87ba7a0#file-conditionaltokens-sol
Replace https://github.com/immunefi-team/audit-comp-butter-cfm-v1/blob/main/test/unit/FlatCFM.t.sol
With
https://gist.github.com/Perseverancesuccess2021/89d26594d88080b62121184be87ba7a0#file-flatcfm-t-sol
After that, run the test
Full Log:
https://gist.github.com/Perseverancesuccess2021/89d26594d88080b62121184be87ba7a0#file-test_testresolvewronganswercallsreportpayoutswithoutofrange_250131_1120-log