Blockchain-based predictions marketplace Augur is under fire after a significant security vulnerability was uncovered by bounty hunters who could potentially be used to sift off millions of dollars.
Betting on Augur’s Security?
As per a report by The Next Web on Aug. 7, the decentralized betting platform has low levels of customer and interface security–allowing hackers to duplicate the platform, create fake datasets and rig betting outcomes.
First published on HackerOne, a crowd-sourced ethical hacking platform that rewards users who detect bugs, ethical hacker droblin created a post that listed “Client-Side Enforcement of Server-Side Security” as a “weakness” of the Augur protocol.
The hacker listed some steps that made it possible to fake several aspects of the Augur protocol:
Such attack vectors are called “frame jacking” by security experts, meaning a protocol’s underlying HTML code is manipulated and exploited by nefarious actors to gain control of the output. In this case, Augur’s prediction data.
A “frame-jacked” user would view the correct domain name, but be shown false data originating from the hacker’s servers.
Droblin explained the extent of such a vulnerability in his post on HackerOne:
“User visits a link from the internet; an attacker replaces his Augur application data then–market data, Ethereum addresses, everything.”
For a platform like Augur (REP), which relies solely on correct data and collated information to function, this lapse in security is insurmountable.
The primary question arises of how data is manipulated when blockchain is fundamentally immutable, and the answer lies with Augur’s decision to store a certain number of files in local servers belonging to the company. Hence, while Augur’s blockchain is fully intact and working well, hackers have, or could have, manipulated the front end.
For a project that raised $5.5 million in 2016, such poor design choices represent a single point of failure, especially considering the increased attention the cryptocurrency industry enjoys from hackers and other bad actors.
Meanwhile, the security research blasted out on Augur’s comments on the HackerOne post after the company classified the hack under “medium severity:”
The researcher also explored the possible consequences of such bugs, after disagreeing with its medium-grade severity classification by the Augur team. Droblin stated:
“Someone could find it and just create post a Medium or somewhere else, describing how is it easy to hijack Augur’s UI data,”
And added:
“This stupid, simple, small and critical bug was found in Augur’s bug bounty program, the one with very high bonuses for essential bugs and meager expectations for such bugs being actually found.”
While the post has since been taken down and Augur’s developers have maintained their classification of the incident, droblin was paid $5,000 in bounties, up from the standard $1,500 amount for that level of severity.
CryptoSlate first reported on the enterprising and successful launch of the prediction marketplace in July, finding that the platform paid out $20,000 to punters in its first week, spread across a wide range of betting markets.
There may be a few malevolent aspects to Augur’s platform, courtesy of the decentralized, open-for-all, censor-free derivatives markets.
Celebrities assassinations, for instance, also became a hot topic for the platform in July ahead of other forms of betting, such as sports or weather forecasts.