Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Realitio.submitAnswerCommitment should enforce a minimum commitment timeout #14

Closed
pacamara opened this issue Apr 10, 2019 · 0 comments
Closed

Realitio.submitAnswerCommitment should enforce a minimum commitment timeout #14

pacamara opened this issue Apr 10, 2019 · 0 comments

Comments

@pacamara
Copy link

pacamara commented Apr 10, 2019
edited
Loading

Realitio.submitAnswerCommitment assigns a commitment timeout of 1/8th of the question timeout.

Therefore for a high frequency application of Realitio with question timeout 2 minutes (plausible and not excluded by the docs), the commitment timeout is within the average block time. This behaviour is not documented. If interacting with Realitio via the Kleros RealitioArbitratorProxy, this enables a malicious miner to time out any commitment and claim the bounty.

Suggest Realitio.submitAnswerCommitment uses require(...) to enforce a minimum commitment timeout which is a safe multiple of the average block time. Or alternatively, commitment timeout/question timeout ratio is increased for short question timeouts.

See pacamara#1 for demonstration code.

(Issue identified from code review for bounty kleros/kleros-interaction#244 )
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@edmundedgar @pacamara