White Hat Hacker finds the greatest vulnerability in Ethereum DApp Augur


  augur bug

A hacker with a white hat has discovered a great vulnerability in the Augur decentralized forecasting market, perhaps the most highly propagandized decentralized application (dApp) built on the Ethereum network.

The bug, disclosed via bug bugs, the HackerOne platform of the security researcher Viacheslav Sniezhkov would have allowed an attacker to enter fraudulent data in the Augur user interface, potentially leading to a significant loss of funds by users concerned.

This exploit was made possible because the main features of Augur – a non-censurable prediction market that allows users to bet on the outcome of almost all events – is protected by the decentralized blockchain of Ethereum, the configuration files of the 39; user interface are stored locally on the user's computer.

As a result, hackers could implement malicious websites that serve hidden iframes and, unbeknownst to the user, change the configuration settings stored in such local files in this way a "user interface" Augur may provide fraudulent data, potentially causing a user to send funds to an address controlled by a hacker.

  augur "width =" 1000 "height =" 667 "srcset =" https: //248qms3nhmvl15d4ne1i4pxl-wpengine.netdna -ssl.com/wp-content/uploads/2018/06/augur-price-rep-crystal- ball-fortune-teller-prediction-market.jpg 1000w, https://248qms3nhmvl15d4ne1i4pxl-wpengine.netdna-ssl.com/ wp-content / uploads / 2018/06 / augur-price-rep-crystal-ball-fortune-teller -prediction-market-300x200.jpg 300w, https://248qms3nhmvl15d4ne1i4pxl-wpengine.netdna-ssl.com/wp-content / uploads / 2018/06 / augur-price-rep-crystal-ball-fortune-teller-prediction- market-768x512.jpg 768w, https://248qms3nhmvl15d4ne1i4pxl-wpengine.netdna-ssl.com/wp-content/uploads/ 2018/06 / augur-price-rep-crystal-ball-fortune-teller-prediction-market-640x427 .jpg 640w, https://248qms3nhmvl15d4ne1i4pxl-wpengine.netdna-ssl.com/wp-content/uploads/2018/06 /augur-price-rep-crystal-ball-fortune-teller-prediction-market-360x240.jpg 360w "sizes =" (max-w id: 1000px) 100vw, 1000px
As a decentralized forecasting market platform, this a dApp allows cryptocurrency users to create forecasting markets for virtually any event.

To reiterate, the bug was not in the smart Augur contract, as was the case with the high profile Parity and DAO incidents. However, this does not mean that the vulnerability was not serious.

As Sniezhkov explained:

"A third-party site can include a hidden iframe that can ignore the" augur-node "configuration variable of an augur application running .This variable is persistent in localStorage In the case of reloading the browser page (user action or browser / OS stop), the normal webs endpoint "augur-node" will be replaced with the one provided by the attacker so that all data, the addresses and transactions of the markets can be disguised. "[19659011] After having fought with Snizhkov for several days due to the severity of the vulnerability (ie if it constituted a user interface bug or something more serious), the Forecast Foundation , which oversees the development of the Augur protocol, eventually rewarded Sniezhkov $ 5,000 to reveal the bug, which was subsequently repaired.

At the moment, there is no indication that the exploit has been successfully manipulated to steal user funds. However, the Forecast Foundation has advised users to update to the latest version of the client software, particularly since the vulnerability has been made public.

As reported by CCN, protocol developers initially controlled a "kill switch" that could be used to effectively shut down the predictive market platform if a critical bug was discovered in the smart Augur contract in the two weeks following the launch of Dapp. When no critical bugs were found, they effectively destroyed the kill switch by transferring ownership to a "burning address".

Close-up image of Shutterstock

Follow us on Telegram or subscribe to our newsletter here. [19659016] • Join the CCN Crypto community for $ 9.99 a month, click here
• Do you want exclusive analysis and in-depth analysis encrypted by Hacked.com? Click here.
• Open positions on CCN: sought-after full-time and part-time journalists.


Source link