White hacker discovered a serious vulnerability in a decentralized market forecasts Augur, perhaps, the most widespread decentralized application (dApp), built in Ethereum.
The error that is described on the Bugy Bounty platform HackerOne security researcher Vyacheslav Nikovym, would allow the attacker to introduce fraudulent data into the user interface of Augur, which could potentially lead to significant loss of funds from the affected users.
The exploit was possible because while the basic functionality is provided by Augur bloccano decentralized Ethereum, configuration files, UI is stored locally on the user’s computer.
Therefore, hackers can launch malicious web sites, which include hidden frames, and without the user’s knowledge, modify the configuration settings stored in these local files, so the user interface of Augur will serve fraudulent data, potentially tricking the user when sending funds to a hacker controlled address.
It is important to note that the error was not in the smart contract, Augur, as in the case of loud incidents Parity and DAO. However, this does not mean that the vulnerability wasn’t serious.
As explained by Snowballs:
“Third-party site may include a hidden iframe, which overrides the configuration variable “negative node” to run the application, augur. This variable is stored in localStorage. In the case of a page reload of the browser (user action or failure, browser / OS) is the usual endpoint for web sites “augur-node” will be replaced by the provided by the attacker so that all the information, addresses, and transactions on the markets can be masked”.
After exploring open Nikovym vulnerability, namely, whether it is a UI error or something more serious, the Fund Forecast, which controls the development of a Protocol Augur ultimately awarded a hacker $ 5000.
Currently, there is no indication that the vulnerability has been successfully used to steal funds. However, the Fund Forecast recommended users to upgrade to the latest version of the software, especially after information about the vulnerability became public.