Summary

As there is no proof of the off chain report sent, bolt parties can deceive the arbiter for maximal profit, and harming the reputation of the other participant.

Vulnerability Details

This is a vulnerability is not in the code, but in the logic that the whole system relies on, and that is the trust between two parties. This issue is gonna be easier to understand if I explain the solution first, and that is a hash of the full report, provided in the system, by the seller. Now with this hash, if a dispute arises the arbiter can see that hash, compare it to the report provided, and if they match he can continue his work with bolt parties. If they don't match he know that the party that provided him with the off-chain report is deceiving him. Without the system implementing this proof report once or even bolt parties can lie about their received service in order to maximize profits or lower costs.

Scenario 1 Seller's fault:

Normal agreement happens between the two parties and everything goes well up to the point where the report is sent to the buyer, where it is discoverer that the report is not of best quality and the seller probably spend too little time reviewing the code and did not provide much value to the buyer. There are 2 outcomes:

• Buyer acts as that is enough and send payment - Seller wins, because he did not spend much time/resources on the project

• Buyer calls initiateDispute and starts the dispute. - Bolt parties are equal

From there on as the seller sees the dispute he can better the report and try do improve it's quality. He will have the time, since the arbiter will not be instant (since he would need to reach and talk with the first party and then the second) with the request and the seller could most likely delay (by making excuses or responding late) sending the report to the arbiter by a day or two. In this time he would prepare at least a report with higher quality (even a good report to show that the buyer can be the one deceiving) that will show the arbiter that he did put in time and effort.

Now the arbiter will not fully know which party is lying, since seller is showing a good report with higher quality and buyer is showing a bad report with low quality.

Scenario 2 Buyer's fault:

Again normal agreement happens and the issue occurs again when the report is sent. Now the buyer removes parts and worsens the quality of the report and call initiateDispute and send this bad report to the arbiter.

• Arbiter decides that the report is of bad quality so he refunds a portion of the funds back to the buyer - Buyer wins

• Seller decides to argue and provides the real report to the arbiter - Bolt parties are equal

Now the arbiter does not know what to do since one party is explaining one story and the other party another.

Representation

This is a a representation of game theory, where 2 ration player play the game for the benefit of oneself. In this manner without any proof from the chain there is no sure lair and any arbiter will be judging not on provided proofs, but more on trying to guess "who can be the deceiving one".

Consequences

Worst case scenario is when one of the parties one way or another have deceives the arbiter successfully. This is likely to happen sooner or later, even if small number of players play the game fairly. Afterwards the reputation of the other innocent party is harmed to some degree:

• If they are auditor, they will loose some percent of future audits, due to projects not trusting them anymore

• If they are a project, future auditors may decline their offer, or want more money for the audit

This way if one of the parties succeeds, not only they gain material benefits, but they also harm the reputation of the other innocent party.

Impact

Any party can manipulate the odds in his favor, reducing cost or maximizing profits (through spending less time on doing the audit).

Tools Used

Manual review

Recommendations

Give an option (make a function) for the seller to provide a hash of the report or better, a hash of the GitHub commit. If he does not proceed calling this function you could suspect that he is trying to manipulate the game.