In order for Realitio UI to pick up tos it shouldn't be a separate public variable in ForeignProxy contract, but instead it should be a part of metadata in homeProxy. See RealitioProxy on Polygon for reference

The analysis was run on the commit in which multiple simultaneous arbitration requests for different contested answers were NOT allowed.

https://docs.google.com/document/d/1BdkPEY2NFBGnGhLXDWl2fqqHjUADDo7_7vJiSv5KArI/edit?usp=sharing

https://docs.google.com/document/d/1mLjbZQ3S3S2hCg00kHHkajvZbcJIz-2LtDCn-8wB0qk/edit#heading=h.vmr18azc7i6z

This is a deployed contract, do not post potential vulnerabilities there unless we give you the permission to or formally reject your vulnerability.

Reality.eth

This is a bug bounty on the Reality.eth contract.
Bugs are rewarded up to 50 ETH according to this classification:

• Critical Bugs: 50 ETH
  for bugs with a high likelihood of allowing an attacker to make the oracle return the wrong answer.
• Major Bugs: 25 ETH
  for bugs that can lock a non negligible amount user funds or enable stealing a non negligible amount of user funds.
• Minor Bugs: 2 ETH
  for smaller bugs which can still produce a non negligible amount of harm to users.

Issues which do not result in a contract redeployment can only be classified as minor.

If you find a bug you can send a mail to [email protected]. In case of dispute about the classification of a bug, Kleros will be used to solve it.

Reality.eth

Reality.eth is a crowd-sourced on-chain smart contract oracle system by Reality Keys.
You can find the documentation there. Note that some parts of the documentation may only apply to the previous version of Reality.eth.

This contract is deployed on the xDAI chain.

Bounty

Bounty Rules

• If you have any questions, don't hesitate to ask on the slack channel (slack.kleros.io #smart-contract-review) or by sending a mail to [email protected] .
• This bounty may be advertised on multiple platforms. Bounties are only awarded to the first person finding the bug irrespective of the platform.
• Posting vulnerabilities publicly, even on this github, before being allowed or having your vulnerability formally rejected is forbidden and would void your claim for rewards.
• Good luck and have fun hunting!
• Note that we are aware that the variables storing time are uint32 and a new version will need to be redeployed before the end of the century.

Extra info

Extra information are given for informational purpose. This allows you to see the bigger picture of what the contract is made for.

• Frontend, be sure to be connected to the xDAI network.
• Omen, a prediction market relying on the reality.eth oracle. Be sure to be connected to the xDAI network.
• Kleros connectors to arbitrate on Reality.eth disputes. Connector on xDAI and connector on mainnet. Those have their separate bounty.

@hbarcelos No vulnerabilities nor minor issues found.

https://docs.google.com/document/d/1Q33fR6WcpgzWcZhymZ7-QiV_xj4uRvhgI_7O1Akka0k/edit?usp=sharing

Cross chain Kleros-Reality.eth connectors

This is a bug bounty on connectors contracts between Reality.eth (on xDAI) and Kleros.
Bugs are rewarded up to 50 ETH according to this classification:

• Critical Bugs: 50 ETH
  for bugs with a high likelihood of allowing an attacker to make the oracle return the wrong answer.
• Major Bugs: 25 ETH
  for bugs that can lock a non negligible amount user funds or enable stealing a non negligible amount of user funds.
• Minor Bugs: 2 ETH
  for smaller bugs which can still produce a non negligible amount of harm to users.

Issues which do not result in a contract redeployment can only be classified as minor.

If you find a bug you can send a mail to [email protected]. In case of dispute about the classification of a bug, Kleros will be used to solve it.

Reality.eth-Kleros connectors

Those contracts are connectors allowing disputes on Reality.eth on xDAI to be ruled by Kleros on Ethereum mainnet.

• See reality.eth documentation for an overview of the mechanisms of this oracle.
• Disputes are started on the Ethereum mainnet on RealitioForeignArbitrationProxy. The requester need to put a deposit.
• Reality.eth on xDAI is informed that a dispute is created through RealitioHomeArbitrationProxy. If something happened in between (like someone changing the answer) the request is canceled and the requester is refunded.
• Kleros on Ethereum mainnet is informed that the dispute can be created through RealitioForeignArbitrationProxy. If the arbitration fees had changed in the meantime, the requester is refunded and Reality.eth is informed through RealitioHomeArbitrationProxy.
• Kleros gives a ruling which is transmitted to Reality.eth through RealitioForeignArbitrationProxy and RealitioHomeArbitrationProxy.

Bounty

Smart Contract Guidelines

We use those guidelines to write smart contracts. In particular, we do not try to prevent stupid behaviors at the contract level but leave this task to the UI. Letting the possibility to a user to harm itself is not a vulnerability (but should of course be dealt at the UI level).

Violation of guidelines are not vulnerabilities but can be reported as "suggestion for tips" (you may get a few PNK for it).

Bounty Rules

• If you have any questions, don't hesitate to ask on the slack channel (slack.kleros.io #smart-contract-review) or by sending a mail to [email protected] .
• This bounty may be advertised on multiple platforms. Bounties are only awarded to the first person finding the bug irrespective of the platform.
• Posting vulnerabilities publicly, even on this issue, before being allowed or having your vulnerability formally rejected is forbidden and would void your claim for rewards.
• Good luck and have fun hunting!

Extra info

Extra information are given for informational purpose. This allows you to see the bigger picture of what the contract is made for.

• Frontend, be sure to be connected to the xDAI network.
• Omen, a prediction market relying on the reality.eth oracle. Be sure to be connected to the xDAI network.
• Reality.eth and its documentation. Those are part of a separate bounty.