Summary

A malicious actor, by posing as a legitimate seller, can trigger multiple dispute resolutions causing the buyer to incur significant, potentially crippling, arbiter fees. This issue is due to the inflexible implementation of the dispute resolution mechanism and lack of seller stake.

Vulnerability Details

The arbiter fee is set as an immutable variable, while the design assumes that every dispute is genuine and the arbiter fee must be paid in every dispute resolution. As a consequence, low effort "bogus" engagements by sellers will require the buyer to pay the full arbiter fee to recover their funds from the contract.

Impact

• Permanent loss of funds: The buyer could end up losing arbitrary amounts in the form of arbiter fees in case of a malicious seller (the attacker) who intentionally creates bogus engagements and then does not fulfil them. Alternatively, the low effort engagements may be constructed in a "believable enough" way such that the arbiter will retain all or most of the fees paid, even if benevolent. For example low quality reports may be AI generated, and will require effort on the part of the arbiter to resolve, which will cause the arbiter to retain the fees paid.

• Temporary freezing of funds: The buyer temporarily loses access to the full disputed amounts for the duration of the dispute.

• DoS of arbiter: The arbiter is subjected to handling numerous bogus disputes which wastes their time and resources.

Likelihood

It can be exploited in a repeated and scalable manner by a malicious actor (the seller) without any risk or loss, causing widespread disruption and loss of trust in the system. It also subjects the arbiter to unnecessary work and grief. There are multiple potential profit motives: sellers may disrupt the platform to reduce competition from other sellers, projects may grief buyer projects they are in competition or rivalry with, competitor security services or platforms may grief the hosting platform.

Tools Used

Manual analysis.

Recommendations

Although a reputation system can help in general, it is impractical for this type of market place in which both seller pseudonymity and a lack of barrier to entry for new sellers are core requirements.

• Introduce a mechanism that allows for the arbiter fees to be waived in case of clear bogus engagements. This could be determined by the arbiter during the dispute resolution.

• Require the seller to stake an amount that can be slashed in case of a repeated pattern of creating bogus engagements or not fulfilling their obligations. This ensures that the seller has a financial incentive to act honestly, and prevents DoS attacks using crypto-economic incentives.