3/3/2022
A contract bug that could allow an orchestrator to have two opportunities to win (i.e. receive the face value of the ticket) using a single ticket received from a broadcaster was recently reported to the core team. A fix for the bug has been deployed and going forward each ticket received by an orchestrator should only represent a single opportunity to win.
The main problem was that a broadcaster’s signature could be modified to give an orchestrator a second opportunity to win with the same ticket.
The deployment of this bug fix is a part of the governance failsafes procedure described in [1]. The bug created the opportunity for an orchestrator to receive an additional opportunity to win with a ticket received from a broadcaster which essentially means that an orchestrator could potentially extract extra value from a broadcaster over time by getting extra winning tickets during an extended time period which would be harmful to the broadcaster. With this in mind, the core team moved forward with a fix swiftly to resolve this issue for the community as soon as possible.
The core team will share a full technical post-mortem soon along with the report that brought this bug to the team’s attention separately.
EDIT: The technical post-mortem can be found here.