A white hat hacker has found a peril in decentralized projection market Augur. It’s the most persistent decentralized application (dApp) created on the Ethereum platform.
Security researcher Viacheslav Sniezhkov revealed the bug through the bug bounty framework HackerOne. The virus could allow an attacker to insert and corrupt data into Augur user interface. This would lead users to lose cash and get affected.
This achievement was necessitated due to Augur’s core functionality uncensored prediction market. It allows subscribers to predict the result of any circumstance. The decentralized Ethereum blockchain safeguards it. The UI configuration files are stored locally on a user’s computer.
As a result, hackers could use fake websites that serve hidden iframes and, unbeknownst to the user. Still, they can change the configuration settings kept in local files so that an Augur UI would serve up fraudulent data. In the end, they will cheat users to send funds to scammer controlled address.
Note that the bug wasn’t in the Augur smart contract unlike in the case of high-profile Parity and DAO incidents. Above all, the vulnerability is serious like other bugs.
Sniezhkov said:
“A third-party site can include a hidden iframe which can override “augur-node” configuration variable of a running augur application. This variable is persisted in localStorage. In the case of browser page reload (user action or browser/OS crash), the normal “augur-node” web sockets endpoint will be replaced with the provided by the attacker so that all the markets data, addresses, and transactions can be masqueraded.”
After several days of sparring with Snizhkov over the intensity of the peril (whether it’s a composed UI bug or something more dangerous), the Forecast Foundation, which manages the development of the Augur protocol, gave $5,000 to Sniezhkov for sharing the virus. It has then been sealed.
As of now, there is no sign to validate the exploit was used to steal users money. But the Forecast Foundation has advised the user to upgrade to the latest version of the software client, especially now that unfortified is now public.
According to a report, two weeks before dApp was launched, the developers of the protocol used the kill switch to shut down prediction markets platform is a dangerous bug was discovered in the Augur smart contract. Since there were no detrimental bugs, the kill switch was destroyed and ownership transferred to burn address.
Image Courtesy of Pixabay.
Follow us on Twitter, Facebook, Steemit, and join our Telegram channel for the latest blockchain and cryptocurrency news.