A massive vulnerability has been discovered in the decentralized betting platform Augur. Hackers have been able to feed users incorrect data and game the system.
Everything shown by the app was susceptible to faking, from transactions to wallet addresses – even the markets could have been forgeries.
Augur is a wonderful place where you can place wetwork orders for high-profile figures like US President Donald Trump and Amazon boss Jeff Bezos. It’s a next-generation betting platform that allows wagers on pretty much anything.
This brand of attack is called frame-jacking, which exploits and manipulates HTML code that controls how data is displayed when it is syndicated from external sources. A user being frame-jacked will be viewing the ‘correct’ domain, but the data shown will be incorrect and misleading, funnelled in from a different location – not directly from Augur.
“User visits a link from internet, his Augur application data is replaced by an attacker then – market data, Ethereum addresses, everything.”
Augur’s native cryptocurrency, REP, is even distributed for settling outstanding bets by confirming their outcome. Truly, from top to bottom, the entire platform relies on having accurate, up-to-date information, users need to be able to trust the data they’re being fed.
The decentralized design of its back-end is supposed to maintain trust. In this case, though, users have been let down by its reliance on centralized user interfaces (UI).
In particular, this highlights how such design choices breed single points of failure. Hackers were able to access sensitive code as it was stored locally, a design choice usually avoided for security concerns.
The researcher also explored possible consequences of such bugs, after disagreeing with its medium-grade severity classification by the Augur team.
In the case it is discovered by someone not participating in bug bounty program. What would he do? Well, the logical step in the case someone wanted to exploit it would be, for example, sending out phishing links to Augur users … replacing all the Ethereum addresses with his own, [leading to] fund loss.
Someone could find it and just create post a Medium or somewhere else, describing how is it easy to hijack Augur’s UI data.
[…] This stupid, simple, small, and critical bug was found in Augur’s bug bountyprogram, the one with very high bonuses for critical bugs and very low expectations of such bugs being actually found.
In the end, though, the developers invariably maintained their position, primarily due to it being an error in the UI, not the underlying platform. As such, the security researcher received $1,500 for his discovery.
The vulnerability has since been patched, so users are urged to update their Augur client.
Really, though, this is just more proof that HackerOne’s white-hat ecosystem has become quite lucrative. Bug bounties are being paid out almost every day – we recently reported on one set of bounties distributed to those finding kinks in the code of anonymous cryptocurrency Monero.
Published August 7, 2018 — 16:09 UTC