"White" Hacker Helps Augur Fix Vulnerability in the System

The white hacker discovered a breakdown in one of the most common decentralized applications, which is built on the Ethereum, Augur network. The hacker, who wants to help developers improve the system, described the problem he discovered through the Bugy Bounty HackerOne platform. The white hacker was Vyacheslav Snezhkov, who found a problem that allows attackers to enter fake data into Augur's user interface, which in the future could result in loss of funds from the affected users.

As described in the hacker's message, the breakdown was made possible by the fact that the Augur platform, provided by the decentralized blockchain system by the Ethereum network, stores the UI configuration files on the individual local machines of each user. Thus, attackers could open malicious sites on local computers, install hidden software and, without the knowledge of users, change the configuration settings on the computer. This would result in the user interface Augur serving non-user, and fraudulent data, thus deceiving users in the case of sending funds to an address controlled by a hacker.

We would like to draw your attention to the fact that the mistake isn't in the Augur smart contract itself, as it was in similar situations with Parity and DAO. Nevertheless, the vulnerability of the system turned out to be quite serious.

As Snezhkov commented on the situation:

“A third party site can include a hidden iframe which can override “augur-node” configuration variable of a running augur application. This variable is persisted in localStorage. In the case of browser page reload (user action or browser/OS crash), the normal “augur-node” websockets endpoint will be replaced with the provided by attacker so that all the markets data, addresses and transactions can be masqueraded.”

For the Augur protocol, the Forecast Foundation is responsible, which for several days has been engaged in an active dialogue with the white hacker who discovered the problem and even encouraged the craftsman a $5,000 reward. Their task is to find out whether this vulnerability is a bug of the interface or something more serious. After all, at the moment there is no evidence that the vulnerability in the system has already been used to steal users' funds.