Augur Bug Allowed Anyone to Manipulate What Users See, Now Fixed Says Joey Krug


A bug in Augur allowed any skilled individual to show users incorrect market data through a framejacking attack that would have made it possible for a hacker to replace markets data, addresses and transactions with whatever he or she wished.

The vulnerability has now been fixed according to Joey Krug, co-founder of Augur. He tells Trustnodes:

“The patch is to use helmetjs (or something like it) to add the missing headers to prevent framejacking attacks. Already implemented.”

The high severity vulnerability was revealed to Augur’s bug bounty with $5,000 given as reward for its disclosure. Krug says:

“Using this attack someone could target users by making their UIs display invalid data if you visited or clicked on a website with this attack implemented, but it wouldn’t have effected the underlying markets’ integrity.”

That is, individuals themselves might have seen incorrect data, but the market in general would continue functioning as this was a sort of man in the middle attack targeting specific users rather than the entire dapp.

Where data that determines the outcome of markets themselves are concerned, that’s unaffected, with Krug stating “that’s done by reporters and a staking mechanism that involves disputes if people believe a result is being manipulated.”

Making this bug limited in its effects, but it might be another set-back as after attracting some considerable volumes since Augur launched this July, it has recently seen less usage with some saying they’re a bit disappointed. In response, Krug says:

“The first release of Augur is meant to prove the idea out and help harden things security wise. The success case there is that it fundamentally works. But it was always going to be clunky, slow, expensive, and difficult to use. Those are all things that’ll take time to change as the UX is improved upon over the coming months and years.

If there’s something specific you don’t like, Augur’s an open source project, feel free to open an issue and make a suggestion, make a pull request, or even use something like gitcoin to post a bounty for some feature you really want that just isn’t there at the moment.”

He says “the launch has gone great if you judge it by that metric (markets are getting resolved correctly, you can place trades but the UX is quite poor, etc.), but the launch was always just the beginning.

The future is all about improving the user experience, dropping cost, making things faster, and overall making it easy to use. That’s the difference between something that’s ok/a novelty and something that’s actually useful.”

We wondered whether he has a time estimate of when he thinks the dapp might be useful, with Krug stating:

“I think it primarily comes down to speed and cost. Most UX issues in Augur boil down to those two things at the root of it. I think we’ll see some substantial improvements in both over the next 6-12 months.

Things like 0x style trading, being able to use dai as the currency instead of just ether. Cheaper fiat on-ramps than Coinbase.

Further out on the 2-3 year time horizon things like sharding will help as well.”

The network has recently been congested due to what looks like a spam account that randomly is moving eth around for no apparent reason. We asked if this congestion is affecting Augur and whether they are utilizing things like state channels to make less use of the blockchain. Krug says:

“Yeah have been looking at state channels. They’re very hard to do for trading without requiring enormous amounts of extra capital/collateral due to the nature of how they work.

That said I imagine we’ll see some for profit businesses built on top of Augur offering Augur markets through state channels (have heard of a few people working on it).”

State channels usually require funds to be locked in a channel, so we asked whether that’s what he meant by “enormous amounts of extra capital.” We also asked if he could reveal more about these businesses that are building on Augur. Krug says:

“Users have to lock eth in the channel (and whoever operates the state channel hub has to lock n users * eth collateral). is one that’s building a lot of value added services around Augur a la a Bloomberg terminal. The ones actually making markets or 0x style trading are a bit earlier (there’s been some discussion of it in the 0x riot chat) because it takes more dev time to spin up.”

Augur raised some 1.2 million eth in an ICO during October 2015. Back then it was worth far less, but now it amounts to nearly half a billion dollars.

It is unclear how much of those funds they retained in eth and how much they converted to fiat, but considering the vast sums, the project should presumably have sufficient resources to work towards making the dapp “actually useful.”



Leave a Reply

Be the First to Comment!

Notify of