A white hat hacker has discovered a major vulnerability in decentralized prediction market Augur, perhaps the most highly-touted decentralized application (dApp) built on the Ethereum network.
The bug, disclosed through bug bounty platform HackerOne by security researcher Viacheslav Sniezhkov, would have allowed an attacker to inject fraudulent data into Augur’s user interface, potentially leading to a significant loss of funds on the part of affected users.
This exploit was made possible because while Augur’s core functionality — an uncensorable prediction market that allows users to bet on the outcome of virtually any event — is secured by the decentralized Ethereum blockchain, UI configuration files are stored locally on a user’s computer.
Consequently, hackers could deploy malicious websites that serve hidden iframes and, unbeknownst to the user, modify the configuration settings stored in those local files such that an Augur UI would serve up fraudulent data, potentially tricking a user into sending funds to a hacker-controlled address.
As Sniezhkov explained:
“A third party site can include a hidden iframe which can override “augur-node” configuration variable of a running augur application. This variable is persisted in localStorage. In the case of browser page reload (user action or browser/OS crash), the normal “augur-node” websockets endpoint will be replaced with the provided by attacker so that all the markets data, addresses and transactions can be masqueraded.”
After sparring with Snizhkov for several days over the severity of vulnerability (namely whether it constituted a UI bug or something more serious), the Forecast Foundation, which oversees the development of the Augur protocol, ultimately awarded Sniezhkov $5,000 for disclosing the bug, which has since been patched.
At present, there is no indication that the exploit has been successfully manipulated to steal user funds. However, the Forecast Foundation has advised users to update to the latest version of the software client, particularly since the vulnerability has now been made public.