Augur scam highlights ‘code is law’ vulnerability of prediction markets

On March 20, a Reddit user published a post detailing the ways in which a bad actor was taking advantage of the Augur platform to unfairly benefit. According to the post the scammer would create markets which seemed satisfactory at first glance but would purposefully include small discrepancies and ambiguity in the wording describing the market.

The scammer would ensure that the differences in wording were innocuous looking and could be explained – perhaps in a scenario where the market creator was not a native English speaker. The bad actor would then bet on an ending, which was the least likely to win. Additionally, the scammer would also stake some REP, the native digital asset of the Augur platform, on the probability that the market will be declared invalid. Of course, the bad actor was aware beforehand that it was likely that the market would be invalidated due to the wording discrepancies.

Manipulating a payday

Once the bets were placed and the market closed, the specifications underlying the platform would designate the market as invalid. On the Augur platform, when a market is declared invalid then the pot is distributed equally amongst all betters. This way, the scammer who initially bet on the wrong outcome would benefit from other market participators’ funds.

Members of the Augur community divulged examples of such markets. For instance, a user created a market called "Ethereum price at the end of March 2019?" which at first glance seems like a legitimate market with no issues in the wording. However, upon closer scrutiny, users found discrepancies between the title and other details. In the title, the creator clearly denotes that the market should close at the "end of day March 31, 2019 UTC." However, in the expiration details assigned to the market, the expiration date provided was actually 1:59 p.m. UTC on March 31. This means that the market would close before the end of March.

This seemingly innocuous mistake almost certainly guarantees that the market will be rendered invalid come March 31. Unfortunately, most participants would be unlikely to catch the sleight of hand. While the locked away funds are shared between all the participants, the winner is always the scammer because he gains much more than he initially bet.

Following the revelation on Reddit, many of the comments seemed to indicate a turning of the tide with regard to public sentiment for the betting platform, with some going as far as to say that the platform had been rendered useless because virtually anyone could create such skewed and unfair markets.

The original poster said: "This makes Augur unusable at this point since basically every single character in the market description can be used to render it invalid. The staking model doesn’t work because the majority of REP holders doesn’t participate."

Centralization versus decentralization

Additionally, many pointed out that there were risks involved in participating in a decentralized betting platform like Augur because of the nuances involved with language. Even in day-to-day life, words are subject to interpretation and different people will comprehend the same words in diverse ways, depending on factors such as their background, native languages, and even punctuation.

However, in centralized betting platforms, such risks are minimized for a number of reasons. To begin with, the central authority would not allow a market with ambiguous wording to go live on a platform. In fact, this is one of the most important functions of the platform owners. They are economically incentivized to ensure only quality markets go live on their platform.

Secondly, in the event of any conflicts, the central authority assumes the role of mediator. The betting houses will review the cases and make a decision which is final. However, because they are economically incentivized to remain trustworthy in the eyes of their customers, these decisions are typically fair and well received by the affected users.

However, in a decentralized platform like Augur, code is law. The underlying software is able to handle many of the tasks handled by centralized authorities in betting houses like William Hill. However, in what is now becoming a somewhat recurring theme for the blockchain sector, one cannot code against all human behavior. A smart contract is simply a piece of self-enforcing software. It is unable to understand the nuances of human interaction.

Augur reacts – but no quick fix

This is not the first instance of wording ambiguities causing conflicts on the Augur platform, and as the conversation around the scams continued to grow, Joey Krug, a core developer at Augur published a series of tweets in response.

Krug, who also serves as the co-chief investment officer at Pantera Capital, made sure to dismiss the severity of the problem, explaining that it was not a widespread attack with many actors but only one bad actor creating all the misleading markets. The Ethereum address used to create the markets is the same.

Additionally, Krug revealed that there was an inbuilt mechanism designed to stop such an attack. However, it was malfunctioning. He explained: "The system in Augur has a built-in way to combat this: a validity bond. The more markets are invalid the higher the bond goes, augur targets 1% of markets as invalid. Right now it’s 10%. Why? There’s a bug on chain in the calculation of this bond which makes it too low."

Krug added that the bug is set to be remedied in the second release of the Augur platform, which will happen later this year. Krug and the developer team at Augur think it is wiser to address the risk on the user interface side as opposed to rushing to patch the issue without considering the entire code base, which may lead to even bigger problems.

He concluded: "Would be dangerous to rush audits for v2 over this, and increase the probability of a new issue arising because the developers weren’t careful about following good testing + bounty + audit practices for v2. Only way to address until then is via UI warnings."

Until then, Augur users will do well to carefully examine all details of the markets they want to participate in to avoid falling victim to this platform’s loophole.