White Hat Hacker Finds Major Vulnerability in Ethereum DApp Augur


A white hat hacker has discovered a major vulnerability in decentralized prediction market Augur, perhaps the most highly-touted decentralized application (dApp) built on the Ethereum network.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="The bug, disclosed through bug bounty platform HackerOne by security researcher Viacheslav Sniezhkov, would have allowed an attacker to inject fraudulent data into Augur’s user interface, potentially leading to a significant loss of funds on the part of affected users.” data-reactid=”32″>The bug, disclosed through bug bounty platform HackerOne by security researcher Viacheslav Sniezhkov, would have allowed an attacker to inject fraudulent data into Augur’s user interface, potentially leading to a significant loss of funds on the part of affected users.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="This exploit was made possible because while Augur’s core functionality — an uncensorable prediction market that allows users to bet on the outcome of virtually any event — is secured by the decentralized Ethereum blockchain, UI configuration files are stored locally on a user’s computer.” data-reactid=”33″>This exploit was made possible because while Augur’s core functionality — an uncensorable prediction market that allows users to bet on the outcome of virtually any event — is secured by the decentralized Ethereum blockchain, UI configuration files are stored locally on a user’s computer.

Consequently, hackers could deploy malicious websites that serve hidden iframes and, unbeknownst to the user, modify the configuration settings stored in those local files such that an Augur UI would serve up fraudulent data, potentially tricking a user into sending funds to a hacker-controlled address.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="To reiterate, the bug was not in the Augur smart contract, as was the case with the high-profile Parity and DAO incidents. However, that does not mean that the vulnerability was not serious.” data-reactid=”47″>To reiterate, the bug was not in the Augur smart contract, as was the case with the high-profile Parity and DAO incidents. However, that does not mean that the vulnerability was not serious.

As Sniezhkov explained:

“A third party site can include a hidden iframe which can override “augur-node” configuration variable of a running augur application. This variable is persisted in localStorage. In the case of browser page reload (user action or browser/OS crash), the normal “augur-node” websockets endpoint will be replaced with the provided by attacker so that all the markets data, addresses and transactions can be masqueraded.”

After sparring with Snizhkov for several days over the severity of vulnerability (namely whether it constituted a UI bug or something more serious), the Forecast Foundation, which oversees the development of the Augur protocol, ultimately awarded Sniezhkov $5,000 for disclosing the bug, which has since been patched.

At present, there is no indication that the exploit has been successfully manipulated to steal user funds. However, the Forecast Foundation has advised users to update to the latest version of the software client, particularly since the vulnerability has now been made public.

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="As CCN reported, the protocol’s developers originally controlled a “kill switch” that could be used to effectively shut down the prediction market’s platform if a critical bug was discovered in the Augur smart contract in the two weeks following the dApp’s launch. When no critical bugs were found, they effectively destroyed the kill switch by transferring ownership of it to a “burn address.”” data-reactid=”53″>As CCN reported, the protocol’s developers originally controlled a “kill switch” that could be used to effectively shut down the prediction market’s platform if a critical bug was discovered in the Augur smart contract in the two weeks following the dApp’s launch. When no critical bugs were found, they effectively destroyed the kill switch by transferring ownership of it to a “burn address.”

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="Featured Image from Shutterstock” data-reactid=”54″>Featured Image from Shutterstock

<p class="canvas-atom canvas-text Mb(1.0em) Mb(0)–sm Mt(0.8em)–sm" type="text" content="
The post White Hat Hacker Finds Major Vulnerability in Ethereum DApp Augur appeared first on CCN.
” data-reactid=”55″>The post White Hat Hacker Finds Major Vulnerability in Ethereum DApp Augur appeared first on CCN.

Let’s block ads! (Why?)


Source link

Previous Court Sides With Crypto Exchange Despite Allegation It Violated China Ban
Next Social Video App Cheez Now Offering Cryptocurrency Rewards