White Hat Hacker Uncovers Augur’s Vulnerability & Gets $5,000 Reward

Recently, a white hat hacker uncovered a major vulnerability in the famous decentralized application (dApp), Augur. It gained extreme popularity during the FIFA world cup, and was among the first ever coin offerings through the Ethereum platform.

Augur is basically a decentralized oracle and prediction market platform built on the Ethereum blockchain. Where, like a traditional stock market, individuals can buy and sell predictions until the real results are decided and settled upon. Augur had a tremendous start in 2015, when it was among the most fruitful ICO’s, raising almost $5.5 million. Which is why it’s recently discovered weakness comes as a shock.

How Does the Bug Operate?

The bug itself was revealed through HackerOne by a security researcher, Viacheslav Sniezhkov. The bug, in theory, would allow the hacker to insert fraudulent data into Auger’s user interface. Therefore giving the hackers the power to deploy malicious websites that would present hidden iframes, unknown to the user, and alter the configuration settings stored in those local files, such that an Augur UI would offer fraudulent data, possibly tricking a user into sending funds to a hacker-controlled address.

A third party site can include a hidden iframe, which can override “augur-node” configuration variable of a running augur application. This variable is persisted in localStorage. In the case of browser page reload (user action or browser/OS crash), the normal “augur-node” websockets endpoint will be replaced with the provided by attacker so that all the markets data, addresses and transactions can be masqueraded.

Initially, Augur had applied a kill switch in their smart contract, thus allowing their developers to fix any unanticipated problems. This was mainly applied to prevent any critical or fatal bugs from attacking the network. Later, however the ownership of the kill switches privilege was shifted to a burn address. This meant that the Augur team no longer had any privileged access over the network. 

The report also outlined the steps to reproduce.

  1. Start Augur application
  2. Open application
  3. Click on “markets” tab
  4. Start web socket server on port 8081 (different from the Augur one)
  5. Open HTML page with iframe which loads Augur’s initial page with “augur-node” parameter overwritten by new value, for example in my test case
  6. Observe “Application” data tab in developer tools, the augur-node variable is set to new value:
  7. Reload opened application (simulating user occasional reload or browser crash, or a user opening Augur app form bookmarks)
  8. Observe the log console of the web sockets server: you can see requests for categories, market data etc.
  9. Observe the Augur application UI – no data is provided as the fake web sockets server has been called, we only need to add implementation and return fake data there to get user misdirected

What allowed Viacheslav to uncover the bug was Augur’s core functionality. Which means that certain configuration files are stored locally on any user’s computer, which in turn could have provided the hackers with means to manipulate the user. The bug posed a huge threat to both, the funds and reputation loss for Augur. Hence Viacheslav was awarded with a sum of $5,000 from the Forecast Foundation that supervises the Augur Protocol, for aiding in the detection of the bug apparently before anything was stolen, saving them from major damages. It was further revealed that the bug was in fact not in Augur’s smart contract.

Augur’s bug bounty program offers a reward of up to $200,000 and the bug found by Viacheslav, was considered as a ‘medium severity’:

The engineering team has further assessed this report, and has concluded to pay out the maximum as a medium severity report (the maximum UI severity assessment). We really appreciate you taking the time to write up this report, include thorough details, and communicate with the team. The Forecast Foundation OU

But later, the severity was raised to ‘high’, rewarding him with $5,000.

The bug has been dealt with, however the Forecast Foundation does recommend all its users to upgrade to the latest version of the software instantly.

Hacking and crypto scams have become a part of the blockchain world and it is evident that the technology must constantly evolve to thwart these digital threats.

Abeer Anwaar

Abeer holds a Bachelors degree in Media studies and covers blockchain startups for BlockPublisher. An optimist, excels in the art of the written word and swears by the joy of all things sweet. Contact the editor at editor.startups@blockpublisher.com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.