Augur (REP) Vulnerability Exposed by White Hat Hacker via HackerOne Bug Bounty Program
Hacker Reveals Augur Vulnerability
Decentralized exchanges have long been a goal of the cryptocurrency community, as well as a working product within the markets. Large fees and vulnerability to hacking attempts are major problems seen within the centralized exchange markets, and many within the cryptocurrency community continue to look towards smaller, but decentralized markets as a viable alternative to the traditionally centralized exchange structure.
Augur has quickly distinguished itself as the most global and well-known name among the decentralized markets. Built on the Ethereum blockchain, the market is known as a dApp, or a decentralized application. But Augur isn’t just an exchange platform. Instead, it functions as a prediction market. On Augur, investors can put their money into predicting the potential outcomes of thousands of different things. The market also recently made global news when it was exposed that some people on the market were betting on dangerous things, such as the likelihood that President Donald Trump will be assassinated.
But now, the market is being judged for something different entirely. According to a disclosure on HackerOne’s bug bounty platform, a security researcher has found a way to inject false data into the user interface of Augur, which could have led to the loss of potentially hundreds of thousands of dollars of money for the users affected by the bug. The exposure of this exploit has led many to reconsider the relative safety of the decentralized exchange platform entirely.
How It Works
This particular exploit functioned because Augur uses the Ethereum blockchain to secure its uncensorable prediction market. The files which do the user-interface portion of the process are stored locally, which means that they are put on the user’s own device or computer. As a result, a hacker who is able to inject fraudulent data into these files can affect how the UI behaves on the Augur platform.
This could be used easily by a malicious hacker to trick the Augur UI into showing the user fraudulent information that could result in lost funds. For example, a savvy hacker could manage to gain access to these files and then make it to where the Augur interface shows the wrong account for the “deposit” wallet. Then, when the user goes to deposit their funds, they would be sending the money to the account of the hacker, losing their funds forever.
Patching The Bug
At first, the Augur development company Forecast Foundation attempted to argue that the bug that the security researcher found was insignificant, merely a UI-based glitch. But after a few days of argument, the company agreed to pay the whitehat hacker, named Viacheslav Sniezhkov, a bounty of USD $5,000.
Additionally, the researchers patched the bug. It is unclear at this point how exactly the researchers patched the bug, but users of the Augur platform are heavily advised to update the client used to run the program promptly. Because the news of the bug has been made public, there remains an extreme risk of vulnerability in all versions prior to the newest.