Defeating Augur’s Largest Attack FAQ - Frequently Asked Questions

Defeating Augur’s Largest Attack:

Our Four-Legged Strategy for Ending Invalid Market Scams and Building a More Reliable and Robust Protocol

June 5th, 2019, 10:00 am
Rewriting the Game:

Augur is a bit like a high-stakes chess match. Its developers and community face off against exploiters and attackers in a sort of intellectual arms race. Bad actors pursue new exploits, new lines of attack, and developers counter by making the protocol more robust and secure. Each side attempts to outsmart and outmaneuver the other.

But unlike a chess match, the developers may rewrite and improve the game as its being played. The ultimate goal is to create a game where everyone wins: where the individual incentives of market actors align with the utility and security of the protocol as a whole. A game where it is more profitable to participate in the protocol than to attack it and where it is more profitable to create valid markets and report honestly on their outcomes than it is to create invalid markets and lie.

While Augur v1 has largely succeeded on this front, it has faced one pressing attack vector: invalid market scams. Bad actors, or at least one prominent trader, have gamed the system to deliberately create and profit off of Invalid markets at the expense of other traders. This attack vector was known before v1, but due to a technical issue, it was successfully exploited by scammers.

This is a serious problem, and it demands a serious solution. So starting today, we are releasing a suite of changes that we believe will make Invalid market scams a thing of the past. We expect that these improvements will not just solve this issue for good but also make Augur a more reliable and robust protocol in general. We implemented the first of these changes today, while others will arrive in Augur v2.

Before diving into the changes, let’s see how the attack works...

The Attack:

In a prediction market, traders buy shares whose payout depends on the outcome of an event. In a YES/NO market on Augur v1, one can buy two types of shares: YES or NO. If the market resolves YES (the event occurred), each YES share pays out one Ether, and each NO share pays out nothing. If the market resolves NO (the event does not occur), each NO share pays out one Ether, and each YES share pays out nothing. However, if the outcome was ambiguous or unverifiable, the market is deemed “Invalid,” and YES and NO shares each pay out .50 Ether.

The Invalid scam involves creating markets that appear valid on first glance but are actually Invalid. The most common approach is setting a market to end before the outcome will be known. The market creator (or other traders) then place orders for cheap YES and/or NO shares for under .50 Ether a pop. Traders who do not realize the market is Invalid or do not understand how Invalid markets work then buy these shares, and the scammers net a profit when the market resolves.

The same scheme can be applied to categorical markets (multiple outcomes) and scalar markets (numerical outcomes), adjusted for varying payouts in the case of Invalid. For example, in a categorical market with 4 outcomes, each Invalid share pays out .25 Ether, so scammers buy YES or NO shares for under .25.

In Augur v1, market creators pay a validity bond when they create a market, which they only get back if the market is valid. The validity bond, however, has been lower in some cases than needed to deter Invalid market creation.

Designing the Counterattack:

Ideal solutions require a few traits:

We need autonomous solutions that use market forces and incentives or programmable logic rather than manual interference. For example, since Augur is a decentralized, censorship-resistant protocol, the Forecast Foundation cannot manually remove or flag markets.

We need robust solutions that succeed in different contexts and attack the problem from different angles, from deterring the creation of Invalid markets in the first place to signaling which existing markets are likely Invalid.

Finally, we favor broadly useful solutions that have neutral or beneficial side effects and that ideally create utility for traders beyond addressing this issue.

Liquidity Sort:

Today, we released a new version of Augur App that redefines how markets are sorted and incentivizes liquid and valid outcomes. The sort ranks markets based on their “depth-weighted” spread and makes the most liquid order books the most visible.

A normal spread is the gap between the highest bid (price traders are offering to buy at) and the lowest ask (price traders offering to sell at). Filtering out markets with wide spreads would hide the highest-risk scam markets where traders could incur the greatest losses.

Scammers, however, could bypass a simple spread filter by placing a trail of dust orders, tiny bids or asks, leading up to a larger, more profitable order, in an attempt to lure in unsuspecting traders. So we need to account for not just the width of the spread, but also its depth.

Defeating Augur's Largest Attack

An example of a market with a wide and shallow spread

A depth-weighted spread lets us account for both how wide the spread is and the quantity of volume on each side. For example, a market with .01 shares on bid at .49 and .1 shares on sale at .51 is less liquid then a market with 10 shares on bid at .48 and 10 shares on sale at .52, despite the tighter spread.

Imagine buying the cheapest 15% of asks from an order book and then selling them back into the market right away. If you recoup a high percentage of what you paid, say 85%, the market is more liquid than if you recoup a small percentage, say 50%. If there’s a wide spread or a narrow spread but with a bunch of dust orders, you only recoup a small amount.

Defeating Augur's Largest Attack

An example of an order book with a relatively narrow and deep spread, by present Augur standards

The new liquidity sort essentially codifies this scenario. Markets are sorted based on the amount of shares you could buy and sell while still meeting a liquidity threshold, which defaults to 15%. So a market where you could buy 100 ETH worth of shares, sell them, and recoup 85% (1–15%) of what you paid, would rank higher than a market where you could only buy and sell 10 ETH while recouping the same percentage. It also filters out markets with spreads greater than 15%. This feature alone may not filter out all Invalid markets, but it greatly diminishes the damage.

The sort rewards liquid markets with tight, deep spreads. In other words, it makes the markets that are the most useful to traders, the most visible. Before, traders could wash trade their way to the top of the markets page, since the sort was based purely on open interest, the amount of money currently at stake in the market. Invalid markets benefited from perverse network effects where they appeared to have good offers, so people traded in them, which lifted them yet higher in the default sort.

The new sort flips these network effects to favor liquid, valid markets. It incentivizes market creators and makers to put in more liquidity with tighter spreads.

Experimental Invalid Filter:

An Invalid market could still sneak through the spread filter. It probably wouldn’t hurt traders as much as a market that didn’t pass the filter, but it may still produce losses.

Defeating Augur's Largest Attack

For example, this market would pass the spread filter with flying colors, and yet…it’s Invalid! If someone fills the .48 bid, they will lose .02 ETH + fees per share, and the scammer will net .02 ETH + fees per share.

Is there some other tell that reveals that this market is invalid or at least offers a red flag — just from looking at the order book?

Yes! Nobody is offering to buy or sell at any price that would incur a loss in the case of Invalid. In a YES/NO market, that means no bids above .50 and no asks below .50.

Remember, Invalid market scams are a rigged game in which the market creator knows the end payout of shares from the get go, .50 ETH in a YES/NO market. So if there were any bid above .50 or ask below .50, it presumably would have already been filled by the market creator or a rational actor.

So our Invalid filter excludes markets that have no bids or asks that would incur a loss for the order creators in the case of Invalid resolution. The presence of such orders is a signal that a market is valid, since one or more rational actors would have filled them already if the market were invalid.

The filter also accounts for fees. For example, let’s say the market creator is collecting 4% fees. Having a bid filled at .52 ETH would still net a profit, despite spending .52 ETH on a share that would ultimately pay out .50 ETH (.50 - .52+.04 = .02).

Even accounting for fees, the Invalid filter is not bulletproof. An Invalid scammer could post a small order as a loss leader to pass the filter. However, in tandem with the spread filter, this makes it sufficiently hard to profit off of Invalid scams such that the market creators are probably better off applying their savvy to making valid markets.

The liquidity sort and Invalid filters work symbiotically, since as market creators add liquidity in order to rank high in the liquidity sort, they are also more likely to pass the Invalid filter. However, the Invalid filter runs the risk of false positives: filtering out markets that are actually valid. So we’re adding the filter as an experimental feature that the user is free to de-select. As an experimental filter, our plan is to observe what happens in the wild, see which way the cat jumps, and make adjustments as needed.

Tradeable Invalid:

The solutions mentioned so far, while useful, do not get at the root issue: incentives. They also rely on UI changes and don’t touch the protocol. Tradable Invalid, one of the innovations we’re most excited for in v2, is an elegant solution that gets at the heart of the matter. It applies market forces to disincentivize the creation of Invalid markets and make it harder to profit off or get scammed by them.

In v2, Invalid becomes an explicit tradable outcome. Just like you can buy YES or NO shares, you will be able to buy “Invalid shares.” This will make it impossible for scammers to profit off YES or NO shares in Invalid markets, since such shares will pay out nothing.

The price and order book for Invalid shares in any given market will signal the risk of Invalid resolution. So traders will better be able to filter out Invalid markets and to account for and hedge against the risk of Invalid in the markets that they do trade in. It will also be possible to buy insurance against an Invalid resolution when buying YES or NO shares.

Where tradable Invalid really shines is in its broader utility. A core property of a well-designed prediction market is that the price of shares signals the present perceived probability of an outcome. For example, if YES shares for “Will Andrew Yang be the 2020 Democratic Presidential Nominee” are going for .09 ETH, the market thinks there’s a ~9% chance. This goes the other way too: traders decide how much to pay based on their own perceived probability. So the relationship between price and perceived probability is a two way street.

This equation is broken in Augur v1. Since one cannot know how much an Invalid outcome is priced into NO or YES shares, one cannot infer perceived probability from price. Even if an outcome has a 0% probability of occurring, YES shares may have a positive price if there is any chance that the market will resolve Invalid. Tradable Invalid breaks these into discreet outcomes, so that the probability the market is assigning to each outcome becomes crystal clear. This moves Augur closer to it’s long-term vision of becoming a public utility that produces robust predictions on any outcome in the world.

Floating Formula for Invalid Bonds:

When you create a market on Augur you put up an “Invalidity Bond,” a deposit that you get back if and only if the market resolves valid. The price of this bond is automatically adjusted based on the number of recent Invalid markets. More Invalid markets drives the rate up to make it costlier to create them, while fewer Invalid markets drives the rate down.

The problem is that in v1, the rate can fall too quickly, making it cheaper to create Invalid markets. In v2, the formula is altered so that the bond can fall no more than 15% in a single week. This may help deter Invalid market creation while letting users filter markets by the bond rate the market creator paid, with the idea that markets with higher rates are less likely to be Invalid.

A Valid Resolution:

“You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete.” ― Buckminster Fuller

We believe that these changes will make Invalid market scams a losing game and ultimately obsolete. Invalid market scammers will face a choice: seek a new exploit, leave Augur, or start creating valid markets and contributing productive liquidity (it appears the most prolific Invalid market creator on Augur has already creating some valid markets). Either way, it’s a win. If they find a new exploit, we can counteract it before Augur hits primetime. If they redirect their skills at making valid markets, even better.

In the high-stakes face-off between a protocol and its exploiters, one invaluable edge that Augur has is a community of thousands of people the world over who are excited about the project and want it to succeed. The community has been instrumental in helping develop and refine some of these solutions. In particular, we owe a big shoutout to the folks in the #game-theory channel on the Augur Discord.

We also recognize numerous members of the Augur community who have gone out of their way to educate others on the risk of Invalid markets and in some cases to even front run scammers. And finally, while we could never condone their actions, thank you to Invalid market creators for showing us where Augur could be improved.

As we take a big step forward in solving this problem, we believe that with the hard work and ingenuity of our developers and community, we can meet any challenge that comes our way.

To get started on Augur, visit augur.net.

Start Trading on Augur


Special note for market creators:

It is essential to add liquidity to your market for users to see it. Your market must contain an order book where the difference between the highest ask and lowest bid is less than 15% of the range, inclusive of fees, of the market. For example, a binary or categorical market with a .55 bid and .63 ask would have an 8% spread, so it would show up. A market with a .55 bid and .75 ask would *not* show up. The tighter the spread and greater liquidity, the higher your market will rank and the more people will see it.

Additionally, for your market to appear on the default markets page, you must have a bid above or an ask below the number of outcomes in the market divided by the range, after accounting for fees. For instance, a YES/NO market with a highest bid of .48 and lowest ask of .52 would be filtered out, since there is no bid above .50 or ask below .50. A market with a .52 bid and .55 ask would *not* be filtered out.

So in Augur V1, until a better solution goes live in V2, this means avoiding creating markets with true even odds, and instead creating ones with a slight (or large) underdog to ensure they’re not accidentally caught by the invalid market filter.