Decentralized betting protocol Augur is dealing with a situation: fraudsters can illegitimately profit by gaming the system, and there’s not much its devs can do about it (for now).
Augur co-founder Joey Krug recently addressed community concerns about scammers taking over the platform. They’re alleged to be intentionally creating invalid markets en masse, which fool the system into mistakenly distributing profit to the attackers.
For context, Augur is a blockchain-based marketplace for prediction betting, where anyone can open a market on any subject. Token holders are encouraged to come to consensus over the outcome of a particular bet (say, that it will rain in New York on Thursday), and a system of smart contracts distributes the winnings.
Hard Fork spoke with Krug for an inside look at how Augur is responding to the threat, and how it plans to protect users moving forward.
Bad news: not much can be done until Augur 2.0 arrives
Below is one example of the “invalid market” scam. This seems like a standard Augur market, which encourages cryptocurrency users to wager on what they think the price of Ethereum will be at the end of this month ($0-100, $100-1,000, or over $1,000).
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
The problem is the market expires before the end of March (at 7:59PM) rather than at midnight. It is believed that once this market reaches its expiration date, bad actors could potentially profit even though they made obviously incorrect bets.
Usually, Augur participants rule markets like these “invalid.” To exploit this, attackers are said to bet on impossible outcomes, while voting to make the market invalid. This triggers Augur to distribute all funds held in the market equally between participants.
In practice, this process allows scammers to profit when they shouldn’t. They can intentionally create invalid markets, bet on the wrong outcomes, and walk away with more cryptocurrency than when they started.
Augur already attempted to plug this loophole with things called “validity bonds.” They act as collateral that Augur will confiscate if users try cheat with bad markets.
“With validity bonds, the idea is you lose money if you create an invalid market,” Krug told Hard Fork. “But right now the formula to calculate them isn’t working properly.”
The problem facing Augur devs is the algorithm that decides how much money is lost when invalid markets are intentionally created isn’t configured correctly. It’s supposed to deter bad actors from attempting the “invalid market scam,” as the amount Augur takes as punishment is meant to outweigh any potential profit.
“Right now, they don’t lose much, and the system is supposed to raise that amount over time until the number of invalid markets decreases, but that’s buggy, so that will be fixed,” Krug continued.
It can’t be fixed, though, without updating Augur’s smart contract code, which is an incredibly difficult process. Any potential patches would need to be made with an “on-chain update,” and Augur’s next one isn’t expected until later this year.
“There’s another fix, too, which is to allow trading on whether a market is valid or not, so in order to profit from it, a troll would have to repeatedly bid for it to be ‘invalid,’ which could trigger a UI filter to alert users,” claimed Krug. “But again, that can’t be done without an ‘on-contract’ update.”
Good news: special UI warnings might be a temporary fix
An airtight solution might still be months away, but Krug isn’t exactly convinced Augur faces a scammer epidemic.
“These aren’t things to be rushed. I think it’s probably easier to address UI side, by warning people about this stuff more,” Krug told Hard Fork. “The Reddit thread acted like this is a super common occurrence, but this is the only second popular market I’ve seen with this exact issue.”
Krug is referring to implementing basic UI messages designed to warn the user they could be interacting with a potentially fraudulent market. “’Check if the market expiration date is different than the one in the title, if so do not trade,’ would be an example of a poorly written one I just came up with,” he suggested.
Krug also said testing and auditing of a more reliable solution had already begun. He described a UI capable of programmatically detecting suspicious bidding, allowing users to avoid bad markets automatically. But again, it won’t arrive until Augur 2.0 is deployed.
To date, the only other example of the “invalid market scam,” Krug claimed, is a market specific to last year’s US midterm election. Thanks to an ambiguously worded market description and poor date selection, the outcome of related Augur bets was not decided until months later, despite millions of dollars worth of cryptocurrency in play.
“Both markets were created by the same Ethereum address, too,” Krug told Hard Fork. “So it’s someone purposefully trying to trick people.”
For now (until preliminary fixes can be pushed) users are advised to pay close attention to descriptions and dates listed on Augur markets – failure to do so could end badly.
Did you know? Hard Fork has its own stage at TNW2019, our tech conference in Amsterdam. Check it out.
Get the TNW newsletter
Get the most important tech news in your inbox each week.