[Bug Bounty: up to 50 ETH] Cross chain Kleros-Reality.eth connectors

[clesaege]

Cross chain Kleros-Reality.eth connectors

This is a bug bounty on connectors contracts between Reality.eth (on xDAI) and Kleros.
Bugs are rewarded up to 50 ETH according to this classification:

• Critical Bugs: 50 ETH
  for bugs with a high likelihood of allowing an attacker to make the oracle return the wrong answer.
• Major Bugs: 25 ETH
  for bugs that can lock a non negligible amount user funds or enable stealing a non negligible amount of user funds.
• Minor Bugs: 2 ETH
  for smaller bugs which can still produce a non negligible amount of harm to users.

Issues which do not result in a contract redeployment can only be classified as minor.

If you find a bug you can send a mail to clement@kleros.io. In case of dispute about the classification of a bug, Kleros will be used to solve it.

Reality.eth-Kleros connectors

Those contracts are connectors allowing disputes on Reality.eth on xDAI to be ruled by Kleros on Ethereum mainnet.

• See reality.eth documentation for an overview of the mechanisms of this oracle.
• Disputes are started on the Ethereum mainnet on RealitioForeignArbitrationProxy. The requester need to put a deposit.
• Reality.eth on xDAI is informed that a dispute is created through RealitioHomeArbitrationProxy. If something happened in between (like someone changing the answer) the request is canceled and the requester is refunded.
• Kleros on Ethereum mainnet is informed that the dispute can be created through RealitioForeignArbitrationProxy. If the arbitration fees had changed in the meantime, the requester is refunded and Reality.eth is informed through RealitioHomeArbitrationProxy.
• Kleros gives a ruling which is transmitted to Reality.eth through RealitioForeignArbitrationProxy and RealitioHomeArbitrationProxy.

Bounty

Smart Contract Guidelines

We use those guidelines to write smart contracts. In particular, we do not try to prevent stupid behaviors at the contract level but leave this task to the UI. Letting the possibility to a user to harm itself is not a vulnerability (but should of course be dealt at the UI level).

Violation of guidelines are not vulnerabilities but can be reported as "suggestion for tips" (you may get a few PNK for it).

Bounty Rules

• If you have any questions, don't hesitate to ask on the slack channel (slack.kleros.io #smart-contract-review) or by sending a mail to clement@kleros.io .
• This bounty may be advertised on multiple platforms. Bounties are only awarded to the first person finding the bug irrespective of the platform.
• Posting vulnerabilities publicly, even on this issue, before being allowed or having your vulnerability formally rejected is forbidden and would void your claim for rewards.
• Good luck and have fun hunting!

Extra info

Extra information are given for informational purpose. This allows you to see the bigger picture of what the contract is made for.

• Frontend, be sure to be connected to the xDAI network.
• Omen, a prediction market relying on the reality.eth oracle. Be sure to be connected to the xDAI network.
• Reality.eth and its documentation. Those are part of a separate bounty.