White Hat Hacker Finds Major Vulnerability in Ethereum DApp Augur

White Hat Hacker Finds Major Vulnerability in Ethereum DApp Augur

A white hat hacker has discovered a major vulnerability in decentralized prediction market Augur, perhaps the most highly-touted decentralized application (dApp) built on the Ethereum network.

The bug, disclosed through bug bounty platform HackerOne by security researcher Viacheslav Sniezhkov, would have allowed an attacker to inject fraudulent data into Augurs user interface, potentially leading to a significant loss of funds on the part of affected users.

This exploit was made possible because while Augurs core functionality an uncensorable prediction market that allows users to bet on the outcome of virtually any event is secured by the decentralized Ethereum blockchain, UI configuration files are stored locally on a users computer.

Consequently, hackers could deploy malicious websites that serve hidden iframes and, unbeknownst to the user, modify the configuration settings stored in those local files such that an Augur UI would serve up fraudulent data, potentially tricking a user into sending funds to a hacker-controlled address.

As a decentralized prediction market platform, this dApp allows cryptocurrency users to create prediction markets for virtually any event.

To reiterate, the bug was not in the Augur smart contract, as was the case with the high-profile Parity and DAO incidents. However, that does not mean that the vulnerability was not serious.

As Sniezhkov explained:

A third party site can include a hidden iframe which can override augur-node configuration variable of a running augur application. This variable is persisted in localStorage. In the case of browser page reload (user action or browser/OS crash), the normal augur-node websockets endpoint will be replaced with the provided by attacker so that all the markets data, addresses and transactions can be masqueraded.

After sparring with Snizhkov for several days over the severity of vulnerability (namely whether it constituted a UI bug or something more serious), the Forecast Foundation, which oversees the development of the Augur protocol, ultimately awarded Sniezhkov $5,000 for disclosing the bug, which has since been patched.

At present, there is no indication that the exploit has been successfully manipulated to steal user funds. However, the Forecast Foundation has advised users to update to the latest version of the software client, particularly since the vulnerability has now been made public.

As CCN reported, the protocols developers originally controlled a kill switch that could be used to effectively shut down the prediction markets platform if a critical bug was discovered in the Augur smart contract in the two weeks following the dApps launch. When no critical bugs were found, they effectively destroyed the kill switch by transferring ownership of it to a burn address.

Featured Image from Shutterstock


Join CCN's crypto community for $9.99 per month, click here.
Want exclusive analysis and crypto insights from Hacked.com? Click here.
Open Positions at CCN: Full Time and Part Time Journalists Wanted.
08.08.2018 / 14:00 16
On Debut Day, Augur Becomes Biggest Dapp on Ethereum On Debut Day, Augur Becomes Biggest
The Forecast Foundation couldnt have chosen a better launch date for Augur on Ethereum than the final stages of one of the most exciting world cups
Augur Network Launches Successfully after Token Migration Completes Augur Network Launches Successfully
Augur, a decentralized prediction market platform, has successfully launched after being in development for over 2 years. As CCN reported, Augur
The Augur (REP) Prediction Platform Is Finally Live after 2 Years The Augur (REP) Prediction Platform Is
The Augur Prediction platform is finally live after 2 years in development. The Beta version of the platform has been available for almost a year
Augur Releases Long-Awaited Prediction Platform Augur Releases Long-Awaited Prediction
Augur, a cryptocurrency project on the Ethereum network, has just announced that it be launching its long-awaited prediction platform. Augur
Augur (REP) Wages War On Critical Vulnerability, Sets Aside $200,000 USD Augur (REP) Wages War On Critical
Augur (REP) has earmarked $200,000 USD to fight critical security vulnerabilities in order to keep the Augur protocol safe from malicious hackers who
Augur Price Rallies 10%, Defies Market Downturn After Binance Listing Augur Price Rallies 10%, Defies Market
The Augur price (REP) saw huge gains Friday after Binance listed the token for trading. In wake of the down market for cryptocurrency, Augur is the
Comments (0)
Add a comment
Comment on