What is a Bug Prediction Market?

A bug prediction market is a prediction market on whether or not a severe security vulnerability will be discovered in a given code base by a certain end date. Bug Prediction Markets (BPM) on Solidified will tie contracts’ bytecode, source code, and behavior specification to said markets. This way smart contract security experts must take economic risks when making security assurances, and of course be rewarded when they prove correct.

Wait, what’s a prediction market?

In short, they’re markets that allow you to trade on the outcome of future events. For a more detailed explanation of prediction markets and why they’re useful, check out this article from our friends at Gnosis.

Why do we need Bug Prediction Markets?

Bug prediction markets,

• Incentivize reporting bugs found in deployed contracts rather than exploiting them: instead, if a bug hunter was to find a severe vulnerability they would buy up “Bug” outcome tokens, report the bug through Solidified, and be rewarded when the bug is confirmed.
• Provide an economic measure of the auditing community’s confidence in the security of deployed contracts: we can interpret the spot price of “Bug-free” outcome tokens as the security community’s confidence in the security of the smart contracts in question.
• Allow bug hunters to earn compensation for evaluating a secure smart contract: currently if a bug hunter was unable to find a bug in a bounty program despite significant effort, they’ve effectively wasted their time. This is a valuable signal though! By purchasing “Bug-free” outcome tokens they vouch for the safety of this contract and get compensated for this work.
• Serve as an early warning system for stakeholders of a smart contract when a vulnerability is discovered. When a bug hunter finds a severe vulnerability, they would buy up as many “Bug tokens” as they can (to maximize their reward). This would drive the price of the “Bug tokens” up and commensurately drive the price of “Bug-free tokens” down, signaling to stakeholders to get out of the contract ASAP.

How does it work?

An example market in which a bug is discovered.

1. We assume that a contract author has first conducted a security audit, and fixed any issues that were identified to the satisfaction of the auditors.
2. The author would then open a prediction market on the final code through the Solidified platform by providing initial liquidity (denominated in SOLID) and an end date. The funds provided for liquidity are used to fund an automated market maker, and are “payment” for the information that the prediction market provides. The prediction market would be tied to the bytecode of contracts, not a specific deployment. Authors would be able to open the bug prediction market on their code at any time, and we expect them to do so before deployment to gain final reassurance before going to mainnet.
3. While the market is open, up until its end date, security experts would be able to trade tokens representing the outcome of the market (outcome tokens). If an expert believes a bug will be found in the code before the end date, they would be able to buy “bug tokens” — a type of outcome token that pays 1 SOLID if a valid bug is disclosed. If an expert believes a bug will NOT be found in the code before the end date, they would be able to buy “bug-free tokens” — a type of outcome token that pays 1 SOLID if no valid bugs are confirmed by the market end date. We expect the spot price of these markets to be the aggregate probability estimate of all traders in the market for the outcome. In other words, the spot price reflects the community’s confidence in the security of the code.
4. Third parties would be able to use the security confidence estimate to inform their decisions as to which smart contracts they should interact with and how much value they should trust the contracts with.
5. Once the market’s end date is reached, experts with tokens of the correct outcome would be able to redeem them for 1 Solid Token each. Tokens of the incorrect outcome (the event that didn’t happen) are worth nothing. In short, experts who have predicted correctly are rewarded.
6. After the market’s expiration, if an author wishes to continue displaying their security confidence metric, they would need to create a new market on the same code.

How are bug prediction markets different than other prediction markets?

The prediction market concept is uniquely suited to this application. Since the subject of the market is entirely open and immutable, we side step the “insider trading problem” inherent to prediction markets. No one has a privileged position to influence to outcome of the market, as opposed to say a market on whether or not a product launch will be delayed.

Prediction markets can be thought of as primarily aggregating information by paying informed participants for the information they signal when buying outcome tokens. Prediction markets with automated market makers require large amounts of liquidity supplied by the market creator that will ultimately be lost. Through audits, smart contract authors currently pay significant sums to a single party for a signal of whether or not their contracts are secure. These funds can be partially repurposed for bug prediction markets, which provide a properly incentivized metric in effect validated by many parties.

Why does it need to be decentralized?

In the process of growing Solidified’s original audit and bug bounty platform, we quickly ran into scaling barriers. Evaluating auditors, coordinating the audit process, and arbitrating bug disputes all require large time commitments from expensive experts. Smart contract auditors’ opportunity cost is very high. Acting as a centralized validator, audit manager, and reputation tracker is a bottleneck that greatly impedes the supply and efficiency of auditors. If Ethereum is to live up to its promise, we have to massively scale smart contract security practices. Security is a community responsibility, relying on a small group of elites to dictate what’s safe is not sustainable. We must incentivize mass participation in these efforts.

Why not use Gnosis or Augur?

We’ve partnered with Gnosis and are building our platform on top of Gnosis’ prediction market smart contracts, and plan to contribute to them as well!

Augur’s oracle relies on the assumption that the outcome of a market is unambiguous and easily verifiable by any member of the public to function smoothly. This is not the case when validating smart contract bugs, which is a specialized skill that often requires significant effort and context to perform. On our current bug bounty platform, disputes on bug validity are common. It’s not always clear to an outside observer how severe an issue actually is without personally investigating it. Therefore, we’ve introduced our own oracle, specific to validating smart contract bugs.

How will these markets be decided?

Initially Solidified will provide centralized bug verification to bootstrap the platform. There are two major disadvantages to the centralized oracle: (i) it is a single point of failure for the platform and (ii) we expect its throughput to be significantly lower than the decentralized version. For these reasons, we plan to move to the decentralized scheme as soon as the correctness of the Bug Verification Oracle (BVO) is ensured. For more information on the oracle approaches being explored, see section 4.6 of the whitepaper.

Where can I learn more?

Check out https://token.solidified.io for more information on the platform and how to participate in our token sale. We’re happy to answer any questions you have on our community channels. See you there!

Reddit: https://www.reddit.com/r/solidified/
Telegram: https://t.me/solidifiedtoken
Slack: https://solidified.slack.com/