White Hat Hacker Exposes Critical Vulnerability in Augur Platform

According to a report published on The Next Web, the decentralized betting platform Augur was found to possess a critical bug, which could potentially allow cyber hackers to provide wrong information to the users and rig the mechanism of prediction markets website. The report published on August 7, 2018, states that the bug could allow hackers to manipulate transactions, user wallet address, and even the relevant markets.

Vulnerability in Platform Could Deceive Investors

For the uninitiated, here is a comprehensive write-up on the entire history of Augur and its utility in the blockchain and crypto world. In a nutshell, Augur is an Ethereum-based platform that allows its users to participate in prediction markets for monetary incentives. The currency used in Augur transactions is ether.

When a situation is presented on Augur, bets are placed by the users predicting its outcome. Interested users can purchase shares in the outcome of a specific event. If the investor buys shares of the correct result, they are rewarded prizes in the form of ether (ETH). The platform recently came into limelight when it became clear that some people in the market were placing bets on ridiculous scenarios, for example, the odds of President Donald Trump being assassinated.

The technical issue that Augur was facing is called “frame-jacking.” This kind of cyber attack manipulates and forges HTML code that determines how data is visible to the user when the interface imports the data from an external source. Even if the user being attacked might, in fact, be viewing the correct domain, the data visible to the user might be wrong or forged. The attack imports the malicious data from somewhere outside Augur, i.e., a third party address.

In a report submitted to HackerOne, the security analyst responsible tried to make the matter as clear as possible:

“User visits a link from internet, his Augur application data is replaced by an attacker then – market data, Ethereum addresses, everything.”

UI to Blame, not Platform

The idea behind Augur’s functionality is built around the concept of decentralization. Hence, it becomes imperative for the users to receive accurate data so they can place their bets in the predictive markets accordingly. However, it was found out that certain files from Augur’s UI are stored locally and not on a blockchain network, and thus the hackers were able to breach the security and access these files easily.

Meanwhile, developers maintained that the bug only exists in the UI, not in the underlying technological platform. Either way, the virus has since been fixed, and users are recommended to update their Augur client promptly.

Later, it was revealed that the security researcher and white hat hacker Viacheslav Sniezhkov was paid a healthy sum of $5,000, a figure double the maximum payout for UI issues in Augur, i.e., $2,500. This disparity in payout sheds light on the severity of the whole affair, virtually confirming that the bug was not merely a UI glitch on the platform.