A vulnerability in Libra's open-source code that would have enabled malicious actors to manipulate smart contracts has been uncovered and patched by a third-party audit firm specializing in cryptocurrency.
Specifically, developers working for startup OpenZeppelin found vulnerabilities in Move, the scripting language developed by Facebook for the open-source Libra cryptocurrency project, an effort backed by major companies including Facebook, Lyft, Uber and MasterCard. If allowed in executable code, the vulnerabilities disclosed to the Libra team could have been severe.
“The vulnerability in the Move IR compiler allows malicious actors to introduce executable code to their smart contracts disguised as inline comments,” OpenZeppelin’s CEO Demian Brener told CoinDesk.
Founded in 2015, OpenZeppelin works with leading cryptocurrency, blockchain and internet enterprises including Coinbase, Brave browser and the Ethereum Foundation. The authors of Move work at Calibra, a subsidiary of Facebook focused on wallet development, and contributed the language to the non-profit Libra Association under a Creative Commons license.
Brener said the code was disclosed to Libra Aug. 6, with the Libra team evaluating and fixing the bug over the following month. As of Sept. 4, the patch was reviewed and confirmed to be fixed by OpenZeppelin.
Libra's stablecoin will have certain programmable features, such as the ability to make smart contracts. The full features of these smart contracts have yet to be disclosed.
Brener told CoinDesk the Libra team was highly responsive to the audits.
As larger protocols continue to develop in size and scope, Brener said audits are only growing in importance. Projects like Libra, with the potential for an international audience, require additional scrutiny, he said.
Earlier last month, Open Zeppelin concluded an audit on Compound, a decentralized finance protocol, which disclosed the ability to take out small, interest-free loans. Earlier today, it received an investment from Coinbase.
Demian Brener, founder, OpenZepplin, via CoinDesk archives