Software and coding bugs can affect any platform or project. In the cryptocurrency world, such problems affecting prediction markets can be very problematic. Augur users barely escaped a major vulnerability that could have potentially crippled the betting platform and resulted in significant financial losses.
The Augur Vulnerability Explained
Prediction markets try to harness the wisdom of the crowd. Users can place “bets’ on the outcome of real-world events and major decisions. This business model can only work if the information shared with the platform is completely genuine. For Augur, it seems there is a vulnerability which allows for fake data to be shared with users. Unfortunately, this issue extends to any and all information displayed on the decentralized prediction market’s app.
Researchers have dubbed this attack as “frame-jacking”. It is a method pertaining to manipulating HTML code depicting how data is displayed to users. This is very different from a fake Augur application making the rounds, as that is not the case whatsoever. Instead, the prediction markets’ sourcing of external data can result in fake information being shown. That data does not originate from Augur itself, albeit it would appear otherwise.
The vulnerability can be rather crippling for Augur. Frame-jacking can modify market data, Ethereum addresses, and so forth. It is a very problematic development for a platform which fully relies on accurate up-to-date information. This exploit has been reported to the developers and an updated client has been released. Users are advised to update their application accordingly.
Not a Trustless Environment
Incidents like these highlight key flaws with platforms which require inherent trust. Despite being decentralized, Augur cannot operate without trust. If the sourced information cannot be relied upon, projects like these will have no long-term future. The fact this information can be manipulated so easily shows there’s still plenty of work to be done.
The Augur developers purposefully store some UI information locally – unfortunately, this practice can often lead to single points of failure, which can make the platform vulnerable. Luckily, a security researcher working through HackerOne’s bug bounty platform discovered the flaw, rather than an actual criminal.
The “white hat hacker” summed up the effects of the vulnerability:
User visits a link from internet, his Augur application data is replaced by an attacker then – market data, Ethereum addresses, everything.
He then goes on to explain in further detail:
In the case it is discovered by someone not participating in bug bounty program. What would he do? Well, the logical step in the case someone wanted to exploit it would be, for example, sending out phishing links to Augur users … replacing all the Ethereum addresses with his own, [leading to] fund loss.
Someone could find it and just create post a Medium or somewhere else, describing how is it easy to hijack Augur’s UI data.
[…] This stupid, simple, small, and critical bug was found in Augur’s bug bounty program, the one with very high bonuses for critical bugs and very low expectations of such bugs being actually found.
How such a key issue was allowed to ship as part of the Augur app remains unknown. Although the project’s underlying platform remains unaffected, it is still a gross oversight.
The researcher who uncovered the exploit was rewarded a $5,000 bug bounty reward in the end – a price well worth preventing the potential loss of millions of dollars in both user and platform funds.
What do you think about the idea of the “white hat hacker”? What should Augur developers do in the future to prevent further vulnerabilities? Let us know in the comments below.
Images courtesy of Shutterstock