A vulnerability in Libra’s open-source code that would have enabled malicious actors to manipulate smart contracts has been uncovered and patched by a third-party audit firm specializing in cryptocurrency.
Specifically, developers working for startup OpenZeppelin found vulnerabilities in Move, the scripting language developed by Facebook for the open-source Libra cryptocurrency project, an effort backed by major companies including Facebook, Lyft, Uber and MasterCard. If allowed in executable code, the vulnerabilities disclosed to the Libra team could have been severe.
“The vulnerability in the Move IR compiler allows malicious actors to introduce executable code to their smart contracts disguised as inline comments,” OpenZeppelin’s CEO Demian Brener told CoinDesk.
He continued:
“The good news is that it was found and patched before the platform was live. Issues once thought of as benign can become more severe in the blockchain setting because auditability substitutes for trust.”
Founded in 2015, OpenZeppelin works with leading cryptocurrency, blockchain and internet enterprises including Coinbase, Brave browser and the Ethereum Foundation. The authors of Move work at Calibra, a subsidiary of Facebook focused on wallet development, and contributed the language to the non-profit Libra Association under a Creative Commons license.
Brener said the code was disclosed to Libra Aug. 6, with the Libra team evaluating and fixing the bug over the following month. As of Sept. 4, the patch was reviewed and confirmed to be fixed by OpenZeppelin.
Libra’s stablecoin will have certain programmable features, such as the ability to make smart contracts. The full features of these smart contracts have yet to be disclosed.
Brener told CoinDesk the Libra team was highly responsive to the audits.
As larger protocols continue to develop in size and scope, Brenner said audits are only growing in importance. Projects like Libra, with the potential for an international audience, require additional scrutiny, he said.
“We are seeing how huge and complex these systems are Libra is the first of many that are coming… and these systems go live and they manage millions of dollars by billions of people. It’s important to know what these complex systems are…people [need to be] aware of the potential.”
Earlier last month, Open Zeppelin concluded an audit on Compound, a decentralized finance protocol, which disclosed the ability to take out small, interest-free loans. Earlier today, it received an investment from Coinbase.
Demian Brenner, founder, Open Zepplin, via CoinDesk archives