Share This Report

A look at irregularities discovered on Augur

Design flaws plague Augur's prediction markets

April 1st 2019

KEY TAKEAWAYS

  • Prediction markets appear to be one of the best use-cases for blockchain as they should be trustless and working without the need of a centralized operator. In theory, a blockchain-based prediction platform can allow for transparency while being out of reach from potential governmental actions and censorship.
  • Yet, Augur - despite being the most popular predictive platform running on a blockchain - faces several issues in its current iteration:
    • Barebones usability functions
    • Low liquidity and participation rates
    • Complex voting, settlement and forking mechanisms
  • Past examples featured scenarios where markets had inherent flaws, leading to controversial outcome reporting and settlements. For active REP token-holders, it illustrates the governance debate between “code is law” and pragmatic approaches.
  • An actively traded market - expiring on April 1st - is currently facing an attack - a “design flaw attack” in which a malicious market creator may design a market with the intention of exploiting a purposeful flaw. Even so, several outcomes can occur during such an attack, without risk.

Augur is a decentralized prediction market platform built on top of Ethereum that allows any individual to create a prediction market regarding the outcome of any event, such as a result of a soccer game, the winner of a presidential election, or even the future price of a cryptocurrency.

Though the project has stimulated some questions about the legality of some prediction markets and the actions that they may incentivize1, the platform itself still has yet to be thoroughly investigated by many.

Brief description of Augur

Augur is a "trustless, decentralized oracle and platform for prediction markets". It was founded in 2014 and conducted an ICO in 20152.

Figure 1. Simplified outline of the lifetime of a prediction market (Augur whitepaper)

Augur markets follow four stages3:

  • Creation of a prediction market: the market creator needs REP to create a market topic, set the event end time, and potentially select a designated reporter that will decide the outcome of the event. However, the community (REP owners) always has the opportunity to dispute and correct any such designated reporter, if there indeed is one.
  • Trading: trading begins whenever a market is created. Markets are all denominated in Ether (ETH).
  • Reporting: Reputation (REP) tokens (or designated reporters) are used to determine the outcome of each market.
  • Settlement: token-holders stake their REP on the actual observed outcome and receive settlement fees from the realized volume in the market, proportional to their stake as determined by the fee set at the time of market creation.

Existing issues

Since the official launch of the UI in 2018, there have been some technical issues with the first version of Augur.

1. General issues

In order to access Augur, users must either:

  • download the Augur app (and either utilize (1) an Infura endpoint (2) download the entire Ethereum Blockchain)
  • rely on one of many web UIs

With a complex base of smart contracts, functions, and features, Augur's steep learning curve often causes new users to utilize one of two websites - an IPFS-hosted version of a web interface, or the "augur.casino" website. Recently, Veil, Guesser, and several other decentralized apps have been built on Augur to abstract away from some of the usability issues that face an onchain product.

On these websites, the UI offers several sorting and filtering mechanisms, either by volume, by ending date, or by open interest. This may lead to certain markets receiving more exposure than others via manipulation of its orderbook.

Decentralized URLs also lead to differences in the warnings, issuances, and features offered on different interfaces. For example, Augur.casino has two sets of warnings for the same prediction market (e.g. "Ethereum Price at end of March 2019?"), one on the market page and one prior to placing an order. Meanwhile, the IPFS version, while nearly identical, lacks such warnings.

Image 1. IPFS-hosted version (accessed as of 3/31/2019 at 10am UTC)

Image 2. "Augur.Casino" version displaying a warning (accessed as of 3/31/2019 at 10am UTC)

Image 3. Warning displayed on "Augur.Casino" (accessed as of 3/31/2019 at 10am UTC)

2. Technical Issues

Market illiquidity

With little help in breaking down the complexity of the entire prediction market system, users are usually more likely to participate in markets with low spreads and high volumes, both of which suggest that other users found the market worthy of betting on. However, for the cost of a couple Ethereum transactions' gas payments, a manipular could utilize two Ethereum accounts to make fake transactions in order to provide an initial padding of volume that attract potential traders. For the majority of markets, participation rates are incredibly low, conversely leading to a feeding frenzy on the few markets that do have significant reported volume.

Incentive Problems

Currently, the validity bond, or the amount staked by the market creator that is seized if the market created is marked invalid, does not adjust with size of market, such that users can repeatedly create bogus markets at a fixed cost. Without trust in the validity of a market, it is difficult for users to participate on any given market, because of increased lockup times due to disputes, and potential swings in value of all outcomes. Consequently, this may exacerbate any existing features that hamper market liquidity.

Voting & Possible Forks

If a market receives a dispute, the settlement of the market will go to a vote, in which the outcomes in question have opportunities to receive stakes denominated in REP from network participants deciding on the outcome they believe in.

The exact proceedings of live disputes may be visualized here.

Stakers that stake with the winning outcome will receive a share of the "wrong stakes" proportional to the amount they contributed to the winning stake. Beginning with an amount as determined by the formula from the whitepaper, each outcome must post 2 times the total amount staked in the entire dispute minus 3 times the stake for the other outcomes in the round.

If multiple outcomes pass this threshold continually and one such outcome's stake reaches 2.5% of Augur's total supply, the chain will undergo a fork, and all REP users will be able to move their pre-fork REP coins to the chain with the outcome of their choice.

To incentivize users to quickly make a decision, "all token holders who migrate their REP within 60 days of the start of a fork will receive 5% additional REP in the child universe to which they migrated". On top of that, a forking period will end when either:

  • 60 days have passed.
  • More than 50% of all genesis REP is migrated to a child universe.

This forking situation has some game theoretical situations similar to the Bitcoin - Bitcoin Cash (and subsequently ABC and SV) and the Ethereum - Ethereum Classic forks, in which network participants must judge which network may have a more viable future and a majority of the community's support.

In the proof-of-work cases, miners must decide which chain has the best utility value, and instantaneously direct their hashrate at their favored chain at the given block height. In this case, REP holders must decide which result and precedent the result sets is most attractive to keeping and welcoming future volumes from prediction market participants, such that their governance fees and utility value can be maintained or grow. Users that pick the least popular chains could lose their holdings in the majority's world, and thus be punished.

It is at this forking juncture that activism of the entire REP body may decide the outcome of a large market - could a non-active token holder body potentially harm the likelihood success of either outcome?

With many non-proof-of-work coins, the coins themselves have much power in deciding rewards for participants, and with large amounts of Augur tokens parked on Compound Finance and many centralized exchanges, the number of free tokens that may vote right away may be lower than required to maintain an efficient reporting and settlement for any Augur market. .

As a result, with many tokens held in wallet that users does not control or custody themselves, an inactive token holder body may be potentially harmful for the entire Augur ecosystem. Yet it remains unclear whether large token holders, such as exchanges, should - or even can - vote and whether or not the voting ability can be taken away from users who do not hold custody of their own coins.

A Controversial Market

As mentioned before, one of the controversial markets that has just expired is related to the price of Ethereum at the end of March 20194.

The market posits three outcomes:

  • $1000 or above
  • $100 - $1000
  • $0 - $100

With a volume surpassing 3500 ETH, this market expired on April 1, 2019 1:59 AM (UTC +8). However the additional disclosures section of the market stated that the "General Price of Ethereum Cryptocurrency at end of day March 31st, 2019 UTC." would be measured. As the contract expires before the end of day UTC time, this contract may end up being marked invalid.

This type of attack can be referred to as a "design flaw attack".

Here is a summary of the current attack vector as executed on this prediction market:

  • Create a market with multiple outcomes with at least one being quite unrealistic (such as Ethereum being above 1000USD), and one being seemingly very easy to achieve (ETH trading within the range of 100USD to 1000uSD)
  • Simulate market activity by trading between a few wallets to boost volumes (wash trading). As Augur exhibits low volume across a majority of its markets, this specific market becomes the most active and hence, the most visible of all traded markets on Augur.
  • The attacker, on purpose, then sends a limit sell order for the outcome that the "price of Ethereum will be between 100 and 1000USD" 5at a quote that is above what would be rewarded by an invalid result, but quite below that which an unsuspecting participant may consider as a good deal. Thus, the newcomer fills the order, and is now stuck in the potentially invalid market.
  • Once the market expires, the attacker hopes that it will be resolved as "invalid", such that all shares in the market return an equal amount of ETH for shares of each outcome ("If the market had N possible outcomes (not including the Invalid outcome), and the cost of a complete set of shares was C ETH, then traders will receive C/N ETH for each share settled with the market contract.")6.

    In this case, each "Yes" outcome in the three-outcome market would be marked to ⅓ value if the market is indeed deemed invalid, and the normal user looking to purchase seemingly undervalued shares for a likely outcome actually ends up purchasing shares that end up getting slashed to ⅓ value.

Outcomes for the settlement of the current case

Outcome 1 - Market resolves as invalid

If the market resolves as invalid, as outlined in the whitepaper, each of the three outcomes would resolve to the price of ⅓, such that all yes outcomes are priced equally, despite the normal participants submitting the majority of the entire pot size for the market reward. According to Predictions.global, the amount invested in the seemingly correct outcome, the $100-1000 range, accounts for a large majority of the market, and based on the market price of this range for the duration of the market, investors buying this outcome, on average, placed nearly twice as much into escrow as the manipulators, so receiving an equal price for all outcomes could cause a loss of over 50% for normal participants, and 100%+ returns for manipulators.

Outcome 2 - Market disputed but doesn't resolve as invalid

As of March 31st, no rational individual would expect the price of Ethereum to be above 1000USD, so that normal participants would only want to sell this outcome, the only remaining market participants buying the outcome are hoping the market to be resolved as "invalid".

Yet, if the price of Ethereum is between USD100 and USD1000 at the settlement date ("April 1, 2019 1:59 AM (UTC +8)") and at the price written in the details section ("General Price of Ethereum Cryptocurrency at end of day March 31st, 2019 UTC.") and remains between USD100 and USD1000 between both official and implied times on all major exchanges, then pragmatic REP holders may decide to select this outcome as both the intended and correct outcome.

Outcome 3 - Market is not disputed

Though unlikely, the market could potentially be settled as valid and not receive a dispute. In this case, the manipulator, through the use of other addresses, could have also purchased true tokens at a steep discount by creating FUD around the validity of the market. After doing so, he would be able to decide the market and not instigate a decision, fulfilling his own desire to receive funds more quickly. Even so, there's a chance that the market may be disputed by other market participants who joined with him to push the invalid outcome, leading to risks of defection from any colluding parties.

Past example of a "design flaw attack"7

In 2018, one of the Augur markets exhibited a total volume of more than USD 2 million8 on a single market contract: "Which party will control the House after 2018 U.S. mid-term election?".

One user decided to create a market that would purposely:

  • Be generic/vague in the wording of the actual question
  • Specify a settlement date that precedes the actual outcome's date, yet after the results of the election

Because the results of the election were public, many "arbitraging participants" decided to bet in favor of the "Democrats controlling the house" outcome9, as the Democrats won the election. Yet, the market settlement date was on December 12th, while the change in the US house was effective as of December 13th 2019.

Malicious users decided to provide a market by selling odds that "Democrats would control the house" and then bank on receiving a "Republicans would control the house" dispute settlement that would generate high returns.

However this didn't happen, as the participant eventually settled into "Democrats" being the final outcome. This illustrates the overall debate between pragmatism and "code is law" remains very vivid and difficult to define, making the on-chain governance all the more interesting.

Potential improvements

To their credit, the Augur team has already identified several of the considerations mentioned, as well as other potential improvements to consider for the 2nd version of the platform.

However, the improvements were released nearly 6 months ago10, yet no official release of upgrades for a version 2 has been announced, while users have been potentially exposed to such concerns this entire duration.

1. A Price-Based Refunding Mechanism

According to the Augur team, "unfortunately, due to technical limitations, Invalid markets cannot 'unwind' trading so that traders receive the exact amount of money they paid for their shares." However, it would seem to appear that the shares of outcomes for specific markets are in fact fungible, because transactions for outcome "Shares" (held as ERC-20 tokens within one's wallet) always come with a corresponding transaction for "Cash", or a value of ETH that was offered by the wallet and escrowed for the purchase of the outcome shares.

Thus, it would be possible, albeit tedious, to track down all the amounts paid for said ERC20s onchain through the smart contract, and that if the user was able to provide all of his or her "shares" ERC-20 in full, they would be able to prove that they were the rightful owner of any shares in question.

In essence, this solution would provide a potential for a "original buyer warranty" - if the market resolves as invalid and the user still holds their full ending position, rather than receiving a mandated 1/N reward for all shares, they could in fact "bring back a receipt of original purchase", and prove that they indeed sent the corresponding amounts of Ether to the smart contract to receive the shares that they would like to return to the market, less the reporting fees.

Invalidating the market should result in a full return of all funds. The team argues that it cannot reverse funds because the tokens are all ERC20 tokens, meaning that the Augur team has no control over them. Yet, a lock up period is already a huge penalty for users, but it doesn't properly get attached to the participants who enter the market with their Ethereum.

2. Clear references in the definition of a market

In the current Augur platform, vague sources (in the description of markets) such as "general knowledge" are often used, leading to confusion amongst participants. Further, ambiguous terms referring to time-zones, currencies, denominations, and units may also affect the ability to interpret the true outcome. If the UI were designed to create default times, currencies, and denominations, the chance of accidentally making an invalid market would be much lower.

Additionally, some markets were created long ago, when novice creators didn't fully understand the best practices for specificity, as well as not having the ability to foresee any precedents set after the market's creation that would deem a market invalid. As far as expiration concerns, market creators could be forced to specify the settlement time a specific period after the event ends, or else be unable to even launch the market in the first place.

3. Market validators with nontrivial stakes prior to the inception of any new market

A potential solution would be to create a new category of participants: market validators.

Staking REP tokens, these would verify the integrity of any new market by checking whether the initial terms of the markets to prevent any market resulting in "invalid".

For the current controversial market, the designated reporter (ETH address 0xc64e96319366da7d00ef4bc14b42e8b1f3a31f52) posted a reporter stake of only 0.593 REP, or a little over $5 at time of publishing. That a user could lose such a small amount while potentially reporting maliciously an outcome illustrates the potential for high manipulation due to low validity bonds and stakes for reporters. In fact, the same user has already created an Augur market named "📉Ethereum Price at End of April 📈" designed to exploit the same flaw.

Instead, larger involvement of the REP community prior to the launch of an official market might provide a level of quality control that would encourage users to remain in the ecosystem.

In Veil, an dApp built on top of the Augur protocol, users have the ability to create user-nominated markets, in which orders may be placed but the market will not go live until further approval. While this may lead to some elements of centralization, the increased likelihood of validity of markets may inspire greater confidence amongst network participants. The issue of confidence in Augur markets has grown to the point that metamarkets are being created that discuss the validity of other markets.

The Augur team has already admitted that these technical problems were on their radar 6 months ago, but little action has been taken to protect users. The stance of the team has been that protocol level problems were their main focus and wanted to allow dApps built on top of the protocol to solve some of the user experience shortcomings, but as was seen in the Ethereum fork, sometimes the base protocol needs to react given the issues that may arise at the dApp level. The team and community has already begun to share some additional materials and guides to increase the education and awareness of potential users.

A note on Governance Tokens

Governance tokens like Augur may potentially have some perverse incentives - in this case, if there are any disputes or clashes in the market, this is when the token has most value (to settle the dispute), and that stakeholders with opposing views will compete to acquire enough REP tokens to stake in support of their desired outcome. Thus, manipulators may be perversely incentivized to create controversy to spike the price in the voting - fundamentally, the token governing a conflict-riddled platform may see a decline in utility value from declined overall activity and trust the participants, inferring that the long-term value of the project may be hindered by short-term profiteers looking to affect the REP price.

With "reverse network effects" - all participants who are hurt by invalid markets can either:

  • Leave with a loss and warn their friends to not join
  • Trade using their newfound knowledge on the market to trick the next user

While Augur is a b use-case of blockchain, if some of these issues are not handled properly moving forward, the Augur ecosystem could be left with only its malicious actors and bystanders, as typical normal participants repeatedly losing funds and then leaving the ecosystem.

Please note: The Augur market named "📉Ethereum Price at End of April 📈" is created by the same author (0xc64e96319366da7d00ef4bc14b42e8b1f3a31f52) as the current attack, featuring a similar flaw in ending date as the aforementioned Ethereum March Price market. Copy-cats are already being created, and will continue to pop up in future if no action is taken. While some of the markets may not have malicious intent from the market creator (e.g. “In Tokyo, will a big earthquake occur by April 2019?”), some malicious individuals may take advantage of naive users on these markets. Please take caution and warn any potential cryptocurrency users at this time about these potential scams.

References

Binance Research provides in-depth analysis and data-driven insights of digital assets by generating unbiased, institutional-grade research reports for investors in the crypto space.

©2019 Binance Research. All rights reserved