Augur REP Token Critical Vulnerability Disclosure
Zeppelin Solutions

The untyped index in a bounded accessible array allows “spillover” access to what should be an inaccessible variable namely the creation timestamp. This is another instance of code leaving, what should be, a locked door open to a manipulator. As stated in the article, this is an intrinsic vulnerability in the language making Serpent unsuitable for enterprise.

This breach is similar to another two that come to mind. The DAO hack left the door open through relinquishing control to a payout function in an external contract. The Parity hack left the door open with an unguarded init function.

Contracts need to be written from a closed position with all openings written to be exclusive to their intended use. Someone needs to develop an auditing algorithm that checks these openings. As part of the development process, coders should define the intended use of all functions and other openings in their contracts. The auditing algorithm, through random execution, could detect deviations from intended use. Addressing these deviations would reduce the frequency of unintended manipulations.

Show your support

Clapping shows how much you appreciated Leusk’s story.