White Hat Hacker Finds Major Vulnerability in Ethereum DApp Augur

A white hat hacker has discovered a major vulnerability in decentralized prediction market Augur, perhaps the most highly-touted decentralized application (dApp) built on the Ethereum network.

The bug, disclosed through bug bounty platform HackerOne by security researcher Viacheslav Sniezhkov, would have allowed an attacker to inject fraudulent data into Augur’s user interface, potentially leading to a significant loss of funds on the part of affected users.

This exploit was made possible because while Augur’s core functionality — an uncensorable prediction market that allows users to bet on the outcome of virtually any event — is secured by the decentralized Ethereum blockchain, UI configuration files are stored locally on a user’s computer.

Consequently, hackers could deploy malicious websites that serve hidden iframes and, unbeknownst to the user, modify the configuration settings stored in those local files such that an Augur UI would serve up fraudulent data, potentially tricking a user into sending funds to a hacker-controlled address.

To reiterate, the bug was not in the Augur smart contract, as was the case with the high-profile Parity and DAO incidents. However, that does not mean that the vulnerability was not serious.

As Sniezhkov explained:

“A third party site can include a hidden iframe which can override “augur-node” configuration variable of a running augur application. This variable is persisted in localStorage. In the case of browser page reload (user action or browser/OS crash), the normal “augur-node” websockets endpoint will be replaced with the provided by attacker so that all the markets data, addresses and transactions can be masqueraded.”

After sparring with Snizhkov for several days over the severity of vulnerability (namely whether it constituted a UI bug or something more serious), the Forecast Foundation, which oversees the development of the Augur protocol, ultimately awarded Sniezhkov $5,000 for disclosing the bug, which has since been patched.

At present, there is no indication that the exploit has been successfully manipulated to steal user funds. However, the Forecast Foundation has advised users to update to the latest version of the software client, particularly since the vulnerability has now been made public.

As CCN reported, the protocol’s developers originally controlled a “kill switch” that could be used to effectively shut down the prediction market’s platform if a critical bug was discovered in the Augur smart contract in the two weeks following the dApp’s launch. When no critical bugs were found, they effectively destroyed the kill switch by transferring ownership of it to a “burn address.”

Comments

comments