Decentralized betting protocol Augur is dealing with a situation: fraudsters can illegitimately profit by gaming the system, and there’s not much its devs can do about it (for now).
Augur co-founder Joey Krug recently addressed community concerns about scammers taking over the platform. They’re alleged to be intentionally creating invalid markets en masse, which fool the system into mistakenly distributing profit to the attackers.
For context, Augur is a blockchain-based marketplace for prediction betting, where anyone can open a market on any subject. Token holders are encouraged to come to consensus over the outcome of a particular bet (say, that it will rain in New York on Thursday), and a system of smart contracts distributes the winnings.
Hard Fork spoke with Krug for an inside look at how Augur is responding to the threat, and how it plans to protect users moving forward.
Bad news: not much can be done until Augur 2.0 arrives
Below is one example of the “invalid market” scam. This seems like a standard Augur market, which encourages cryptocurrency users to wager on what they think the price of Ethereum will be at the end of this month ($0-100, $100-1,000, or over $1,000).
The problem is the market expires before the end of March (at 7:59PM) rather than at midnight. It is believed that once this market reaches its expiration date, bad actors could potentially profit even though they made obviously incorrect bets.
Usually, Augur participants rule markets like these “invalid.” To exploit this, attackers are said to bet on impossible outcomes, while voting to make the market invalid. This triggers Augur to distribute all funds held in the market equally between participants.
In practice, this process allows scammers to profit when they shouldn’t. They can intentionally create invalid markets, bet on the wrong outcomes, and walk away with more cryptocurrency than when they started.
Augur already attempted to plug this loophole with things called “validity bonds.” They act as collateral that Augur will confiscate if users try cheat with bad markets.
“With validity bonds, the idea is you lose money if you create an invalid market,” Krug told Hard Fork. “But right now the formula to calculate them isn’t working properly.”
The problem facing Augur devs is the algorithm that decides how much money is lost when invalid markets are intentionally created isn’t configured correctly. It’s supposed to deter bad actors from attempting the “invalid market scam,” as the amount Augur takes as punishment is meant to outweigh any potential profit.
“Right now, they don’t lose much, and the system is supposed to raise that amount over time until the number of invalid markets decreases, but that’s buggy, so that will be fixed,” Krug continued.
It can’t be fixed, though, without updating Augur‘s smart contract code, which is an incredibly difficult process. Any potential patches would need to be made with an “on-chain update,” and Augur‘s next one isn’t expected until later this year.
“There’s another fix, too, which is to allow trading on whether a market is valid or not, so in order to profit from it, a troll would have to repeatedly bid for it to be ‘invalid,’ which could trigger a UI filter to alert users,” claimed Krug. “But again, that can’t be done without an ‘on-contract’ update.”
Good news: special UI warnings might be a temporary fix
An airtight solution might still be months away, but Krug isn’t exactly convinced Augur faces a scammer epidemic.
Published March 20, 2019 — 18:56 UTC