A white hat hacker revealed that he has discovered major bugs in decentralized prediction market Augur.
Augur, is the most talked about the decentralized application (dApp) built on the Ethereum network
Security researcher Viacheslav Sniezhkov who made this revelation via bug bounty platform HackerOne stated that the bug would allow an attacker to inject fraudulent data into Augur’s user interface. If it happens, it could lead to users losing significant funds.
Augur’s main function is to serve as a decentralized prediction market that enables users to bet on the outcome of any event.
Sniezhkov added that vulnerability was possible because even though Augur’s main function is secure by the decentralized Ethereum blockchain, its UI configuration files are stored locally on a user’s computer.
This means that hackers could make use of malicious websites that serve hidden iframes and, unbeknownst to the user.
If the user opens any of those malicious websites, the hackers can modify the configuration settings stored in those local files in such a way that an Augur UI would serve up fraudulent data.
If that happens, the user can be tricked into sending funds to a hacker-controlled address.
Augur which is a decentralized prediction market platform enables digital currency users to create prediction markets for almost any event.
The researcher reiterated that the bug was not in the Augur smart contract, unlike previous issues with Parity and DAO. However, he warned that the vulnerability is still serious.
Sniezhkov stated “A third-party site can include a hidden iframe which can override “augur-node” configuration variable of a running augur application.
This variable is persisted in localStorage. In the case of browser page reload (user action or browser/OS crash), the normal “augur-node” websockets endpoint will be replaced with the provided by the attacker so that all the markets data, addresses, and transactions can be masqueraded.”
Bug patched by Forecast Foundation
The Forecast Foundation which has been tasked with the development of the Augur protocol held talks with Sniezhkov for days over the severity of the bug.
Sniezhkov was afterward rewarded with $5,000 for disclosing the bug, with the bug now taken care of.
At the moment, there is no report that shows that the vulnerability has been successfully manipulated to steal user funds.
Nonetheless, Forecast Foundation has told their users to update to the latest version of the software client available. This is important since the vulnerability is now public knowledge.
Earlier reports indicate that the developers of Augur initially had a kill switch that could be used to shut down the platform in case a critical bug was discovered in its smart contracts in the two weeks following its launch.
However, the kill switch was destroyed by transferring ownership of it to a burn address after the two weeks window elapsed, with no critical bugs discovered.