Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Gnosis wrote the Conditional Token Framework (CTF). It is a complex tree of tokens, each representing some subset of choices. When a bet is made, users deposit collateral for a "full" (all options) token. Then, they trade sub-tokens in an external market to eventually arrive at a final position. Polymarket is a prediction market web3 company that uses CTF. While looking for variants of a bug found during an audit of Buter Conditional Funding Markets, they found a vulnerability in Polymarket.

In CTF, the function prepareCondition() creates the new condition for a position. This takes in an oracle, question and answer count as parameters. After this has been done, SplitPosition is used to split into the various outcomes. It has a very crucial condition: this function can only be called once.

Before Trust audited Butter, a patch with pretty clear security implications around CTF was submitted. Most protocols using this are permissionless, if an attacker can submit arbitrary parameters to prepareCondition(), then it prevents others from doing so in the future. This is a clear denial of service issue with the integration of the CTF library.

When Trust comes across a bug, they see if others have made the same mistake. So, they went to Github and searched for prepareCondition() not being wrapped correctly. In Polymarket, they noticed that an admin can call initialize() to create a new poll. By frontrunning this submission, it's possible to ensure that no questions can ever be answered.

Trust is/was on the Immunefi suspension list. So, they tried to reach out to Polymarket directly. When doing so, Trust initially was didn't want to disclose the exact issue until a payment range was decided. Even when they refused to give a range, the report was given to them.

According to Polymarket, the bug had been reported to them through Immunefi already, making this a dup. Since this had been known prior and things like Polygon fastlane can prevent it, it wasn't an issue to them. Additionally, Polymarket pointed out that this impact wasn't directly in scope, which is a terrible reason since there is real user impact. The bug being paid out in the first place and, therefore, nothing going to Trust is a legit reason not to pay out, though.

Unfortunately, Polymarket is not going to fix the issue. This puts users at risk and it all takes is a bad actor to prevent any/all usage of the platform. According to Trust, this was to dodge paying a big bug bounty under Immunefi terms but it's hard to say. I do wish that the security issue was documented as a known issue though - that's probably something that more programs should do imo.

Trust seems to be very good at variant analysis, which is awesome way to find bugs. I've been doing this lately and had pretty good success at it. Interesting bug and bug discovery!