A third-party cryptocurrency audit firm discovered and corrected a vulnerability in Libra’s open source code that would have allowed malicious actors to manipulate smart contracts.
Specifically, developers working for the OpenZeppelin startup found vulnerabilities in Move, the scripting language developed by Facebook for the Libra open source cryptocurrency project, an effort backed by leading companies, including Facebook, Lyft, Uber and MasterCard . If allowed in the executable code, the vulnerabilities revealed to the Libra team could have been serious.
“The vulnerability in the Move IR compiler allows malicious actors to enter executable code into their smart contracts disguised as online comments,” OpenZeppelin CEO Demian Brener told CoinDesk.
“The good news is that it was found and patched before the platform was live. Issues once thought of as benign can become more severe in the blockchain setting because auditability substitutes for trust.”
Founded in 2015, OpenZeppelin works with major cryptocurrency, blockchain and internet companies, including Coinbase, Brave browser and Ethereum Foundation. The authors of Move work at Calibra, a Facebook subsidiary focused on wallet development, and contributed the language to the nonprofit Libra Association under a Creative Commons license.
Brener said the code was disclosed to Libra on August 6, with the Libra team evaluating and repairing the error during the following month. As of September 4, OpenZeppelin reviewed and confirmed that the patch was fixed.
The stable currency of Libra will have certain programmable features, such as the ability to make smart contracts. The full features of these smart contracts have not yet been disclosed.
Brener told CoinDesk that the Libra team was very receptive to audits.
As larger protocols continue to develop in size and scope, Brener said audits are only growing in importance. Projects like Libra, with the potential for an international audience, require additional scrutiny, he said.
“We are seeing how huge and complex these systems are Libra is the first of many that are coming… and these systems go live and they manage millions of dollars by billions of people. It’s important to know what these complex systems are…people [need to be] aware of the potential.”
Earlier last month, Open Zeppelin concluded an audit on Compound, a decentralized financial protocol, that revealed the ability to obtain small, interest-free loans. Earlier today, he received an investment from Coinbase.
Demian Brener, founder, OpenZepplin, via CoinDesk archives