Skip to content

Evidence event is missing the arbitrable address which is tied to the externalDisputeID #2166

New issue
New issue
Closed as not planned
Closed as not planned
Evidence event is missing the arbitrable address which is tied to the externalDisputeID#2166
Assignees
jaybuidl
Labels
Audit: Contract Reviews 👀Internal reviewCompatibility: ABI change 🗯Smart contract ABI is changing.Package: ContractsCourt smart contractsType: Bug 🐛
@jaybuidl

Description

@jaybuidl
jaybuidl
opened on Oct 8, 2025

Problem

The externalDisputeID is local to a particular arbitrable and is emitted by the Arbitrable.DisputeRequest event.

Later when a court user calls submitEvidence() they reference this externalDisputeID as part of Evidence event, but it does not specify the arbitrable relevant to this externalDisputeID.

⚠️ Edge case: if the arbitrable calls EvidenceModule.submitEvidence() then this adjacent issue is relevant #2160

Solution

Add an _arbitrable parameter to IEvidence.submitEvidence() and the Evidence event.

Security Considerations

A malicious user may spoof the value of _arbitrable when submitting evidence. As long as this information is used only for the purpose of displaying evidence, it falls into 3 cases:

  1. _arbitrable is the correct value, no problem.
  2. _arbitrable is another arbitrable where the _externalDisputeID exists, then the evidence is displayed for that other incorrect dispute.
    -> If an attacker wants to achieve this, they can already do it today, so it does not increase the attack surface.
  3. _arbitrable is something else, then _externalDisputeID won't match anything and the evidence won't be displayed.

Metadata

Metadata

Assignees

Labels

Audit: Contract Reviews 👀Internal reviewCompatibility: ABI change 🗯Smart contract ABI is changing.Package: ContractsCourt smart contractsType: Bug 🐛

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions