The vulnerability was discovered by OpenZeppelin, a firm that has conducted security audits for many of the major players in the cryptocurrency industry including Coinbase, the Ethereum Foundation, Brave, Bitgo, Shapeshift and more.
- A faucet that mints assets (Libra Coins or any other asset on the Libra network) in exchange for a fee can deploy a malicious module that takes a fee but never actually provide the possibility of minting such asset to the user.
- A wallet that claims to keep deposits frozen and release them after a period of time may actually never release such funds.
- A payment splitter module that appears to divide some asset and forward it to multiple parties may actually never send the corresponding part to some of them.
- A module that takes sensitive data and applies some kind of cryptographic operation to obscure it (e.g. hashing or encrypting operations) may actually never apply such operation.
But this is hardly a complete list, when discussing a security hole that allows for someone to execute code, the possibilities are endless - it all depends on how creative, or malicious, the person writing that code is.
What's normal here, and what isn't...
Discovery of security holes while a project is in the development phase is beyond common - it's standard.
The only thing we found surprising - the large gap of time between when OpenZeppelin said they informed Facebook on Aug 6th, and the date Facebook had finally fixed the code, Sept 4th.
Even odder, changes were made to this section of code during this time, but those changes left the security hole open for another 3 weeks.
Facebook says security a top priority...
Speaking to one of my contacts inside Facebook, they said Libra "has and will continue to go through some of the most intense security auditing/testing imaginable" adding "we're letting a lot of hackers take a stab at Libra, and it won't be launched without consensus among the developers that it's fully secure, and ready for the masses".
In all fairness, while I can't say i'm convinced Facebook entering the crypto space is a good thing - it is good they're letting outsiders put Libra's security through rigorous testing.
Nothing is more dangerous than a group of developers so sure their code is flawless, they don't see the need to test that claim before releasing it to the public. That's how insecure software ends up opening security hole on thousands, or millions of computers.
-------
Author: Ross Davis
E-Mail: Ross@GlobalCryptoPress.com Twitter:@RossFM
San Francisco News Desk
No comments
Post a Comment