
Binance uncovers “design flaw attack” for Augur prediction markets

Cover art/illustration via CryptoSlate
A design flaw in Augur allows ambiguous prediction markets to be gamed for profit, according to Binance Research. Furthermore, the report detailed other issues that โplaguedโ the Augur platform, including prediction market wash trading, low liquidity, and limited participation rates.
In an Apr. 1st report, Binance Research has uncovered a myriad of issues with Augur, the Ethereum-based decentralized prediction-market platform, including evidence of wash trading on prediction markets, limited user participation rates, low liquidity, and a concerning design flaw where attackers can potentially scam honest users.
Understanding Augurโs โDesign Flawโ
The flaw revolves around creating prediction market that resolve as โinvalid.โ According to the Augur white paper, an invalid market is one that is โnot suitable for resolution by the platformโfor example, because it is ambiguous, subjective, or the outcome is not known by the event end date.โ
However, these invalid markets are sometimes difficult (or subjective) to identify. Malicious actors can take advantage of this for profit.
When a market resolves as invalid, bettors in that market are paid out at โequal values for all possible outcomes.โ For example, a market with two outcomes would have the reward split equally between both outcomes. A market with three outcomes would have it split three ways, and so on.
Yet, because some prediction market outcomes differ in probability, the cost of betting on each outcome also differs. By creating markets (which are likely to resolve as invalid) where one outcome is highly likely and the other unlikely, an attacker can place bets on the unlikely outcome and profit from honest participants when the market is deemed invalid.
The warning message displayed by Augur.casino, as of Mar. 31st, 2019, describes the issue succinctly:
โIf a market resolves as invalid, each share is refunded to traders in equal amounts. If the reporting start time (UTC) isnโt after the actual end of the event, or if the title/description and reporting start time donโt match up, there is a high probability that the market will resolve as invalid.โ
Example of an Controversial Market
One example of an at-risk market is one with volume surpassing 4,000 ETH. The market is set to expire on Apr. 1st, 2019 at 1:59 AM (UTC +8). Yet, in the additional details section, it states โGeneral Price of Ethereum Cryptocurrency at end of day March 31st, 2019 UTC.โ

Because the โtitle/description and reporting start time donโt match up,โ there is a chance this market will resolve as invalid. As stated by Binance Research:
โThe fact that the market specifies one end date in the title/description and a (slightly) different one in the expiration date renders it invalid, allowing the pollโs creator to purposefully bet on the losing outcome and get paid out regardless.โ

Based on the above values, if the market resolves as invalid, bets on each outcome would resolve at a value of approximately 0.33, meaning that bets on โ$1000 or aboveโ and โ$0 – $100โ would result in a 65 percent gain while bets on the most likely outcome, โ$100 – $1000,โ would result in a 46 percent loss.
That said, the report only cited one past example of the flaw. Yet, that market resolved normally even though it was both purposefully vague and included a potential date conflict, suggesting that on-chain governance is capable of dealing with some of the issues raised.
Combating Bad Actors
The way Augur currently combats this problem is through a combination of mechanisms. First, a market creator must provide a โvalidity bond,โ an amount staked by the market creator that is slashed if the market resolves as invalid. However, market behavior indicates that the cost of these bonds is low enough where users can โrepeatedly create bogus markets at a fixed cost,โ according to Binance Research.
The second way (along with other ways) Augur solves the issue is through the dispute mechanism. If the settlement of the market is disputed, then REP holders can vote to decide which outcome is correct. In some circumstances, even if a market should technically be ruled as invalid based on Augurโs documentation, voters may decide that a market with tricky wording resolve based on voters’ reasonable interpretations. As such, this pits โcode as lawโ ideologists against โpragmaticโ voters, as said by Binance Research.
Response from the Community
The community has known about the exploitโat the latestโsince Mar. 19th, with one popular Reddit post titled โAugur is being gamed!โ garnering significant attention. Other crypto media outlets have also covered the exploit since Mar. 20th.
On Mar. 19th, Joey Krugโa core developer for Augur, a co-chief investment officer at Pantera Capital and co-founder of Beamโexplained that concern over the exploit was overblown:
This is kinda fake news for a few reasons. #ethereum @AugurProject
1) Almost all of these purposefully confusing markets are being created by one person, not a bunch of people. The activity on those markets is also by one person / address. https://t.co/9jLIeGqun9
— Joey Krug (@joeykrug) March 20, 2019
Furthermore, the core developer tweeted that a new category for โinvalidโ bets will become tradeable in the next version of Augur, effectively addressing the exploit:
This will be fixed in v2 of augur.
3) Invalid will be a separately tradable in v2. So markets where this is happening can be easily filtered out, and people trying to do the attack described in the OP would auto trigger the filter by virtue of their trading invalid.
— Joey Krug (@joeykrug) March 20, 2019
Augurโs Progress on Addressing the Flaw
According to Binance Research, the Augur team has already identified the attack mentioned, as well as other potential improvements for version 2 of the platform. However, the report also criticized the project for failing to address these issues in a timely fashion:
โThe Augur team has already admitted that these technical problems were on their radar 6 months ago, but little action has been taken to protect users.โ
The report also provided several potential solutions to the attack, including a price-based refund mechanism, clearer warnings and disclosures, and even a new โmarket validatorโ category of participant. Allegedly, if these issues arenโt resolved:
โWhile Augur is a strong use-case of blockchain, if some of these issues are not handled properly moving forward, the Augur ecosystem could be left with only its malicious actors and bystanders, as honest participants [are left] repeatedly losing funds and then leaving the ecosystem,โ said the report.
At the time of press, Augur is ranked #40 by market cap and the REP price is down 0.09% over the past 24 hours. REP has a market capitalization of $221.36 million with a 24-hour trading volume of $19.14 million. Learn more ›
Market summary
At the time of press, the global cryptocurrency market is valued at at $272.87 billion with a 24-hour volume of $94.23 billion. Bitcoin dominance is currently at 56.82%. Learn more ›