Vulnerability Found and Patched in Libra Script
The Libra open-source scripting language Move featured a vulnerability which would have allowed hackers to manipulate the network’s smart contracts.
The bug was discovered by the OpenZeppelin blockchain security firm. OpenZeppelin also provides its services to other leading crypto businesses, including Coinbase, Brave browser, and the Ethereum Foundation.
The Libra team quickly patched the bug once the firm revealed its findings.
The Move scripting language allows programmers to define custom resource types, in which a resource cannot be copied or erased, but only have their storage locations changed. The vulnerability was present in Move’s intermediate representation language compiler that allowed the manipulation of inline comments, through which malicious code could have been propagated through the network.
“As cryptocurrency continues to grow in popularity, it is vital for companies to audit and ensure that their networks are secure. Libra is groundbreaking, and it’s great how they involve the community by open-sourcing their code early in the process. Because of this, we were able to find this vulnerability before the Libra network went live, averting potentially damaging effects. Our team shared several exploit scenarios with the Libra team that illustrated why they needed to address this issue quickly,” – said Demian Brener, the company’s CEO.
OpenZeppelin provided more details on their blog, including the scenarios in which the code could have been exploited by bad actors:
“The potential impact of the vulnerability can vary greatly and depend on i) the business logic of each specific module and its use cases, ii) current and future features of the Move IR language, and iii) the developer platform being used to submit bytecode to the Libra network. Some potential exploiting scenarios one can think of are:
- A faucet that mints assets (Libra Coins or any other asset on the Libra network) in exchange for a fee can deploy a malicious module that takes a fee but never actually provide the possibility of minting such asset to the user.
- A wallet that claims to keep deposits frozen and release them after a period of time may actually never release such funds.
- A payment splitter module that appears to divide some asset and forward it to multiple parties may actually never send the corresponding part to some of them.
- A module that takes sensitive data and applies some kind of cryptographic operation to obscure it (e.g. hashing or encrypting operations) may actually never apply such operation.”
The post also features the timeline of the Libra team and how it responded to the audits. The team moved relatively fast and introduced a patch to prevent the use of vulnerability.
So far, there have been little details provided on Libra’s smart contracts, aside from the fact that they are programmable.
Featured Image: The Register