Vulnerability Fixed in Facebook Contract Language for Libra Cryptocurrency

A vulnerability in Libra's open-source code that would have enabled malicious actors to manipulate smart contracts has been uncovered and patched by a third-party audit firm specializing in cryptocurrency.

Specifically, developers working for startup OpenZeppelin found vulnerabilities in Move, the scripting language developed by Facebook for the open-source Libra cryptocurrency project, an effort backed by major companies including Facebook, Lyft, Uber and MasterCard. If allowed in executable code, the vulnerabilities disclosed to the Libra team could have been severe.

“The vulnerability in the Move IR compiler allows malicious actors to introduce executable code to their smart contracts disguised as inline comments,” OpenZeppelin’s CEO Demian Brener told CoinDesk.

He continued:

“The good news is that it was found and patched before the platform was live. Issues once thought of as benign can become more severe in the blockchain setting because auditability substitutes for trust.”

Founded in 2015, OpenZeppelin works with leading cryptocurrency, blockchain and internet enterprises including Coinbase, Brave browser and the Ethereum Foundation. The authors of Move work at Calibra, a subsidiary of Facebook focused on wallet development, and contributed the language to the non-profit Libra Association under a Creative Commons license.

Brener said the code was disclosed to Libra Aug. 6, with the Libra team evaluating and fixing the bug over the following month. As of Sept. 4, the patch was reviewed and confirmed to be fixed by OpenZeppelin.

Libra's stablecoin will have certain programmable features, such as the ability to make smart contracts. The full features of these smart contracts have yet to be disclosed.

Brener told CoinDesk the Libra team was highly responsive to the audits.

As larger protocols continue to develop in size and scope, Brener said audits are only growing in importance. Projects like Libra, with the potential for an international audience, require additional scrutiny, he said.

“We are seeing how huge and complex these systems are Libra is the first of many that are coming… and these systems go live and they manage millions of dollars by billions of people. It’s important to know what these complex systems are…people [need to be] aware of the potential.”

Earlier last month, Open Zeppelin concluded an audit on Compound, a decentralized finance protocol, which disclosed the ability to take out small, interest-free loans. Earlier today, it received an investment from Coinbase.

Demian Brener, founder, OpenZepplin, via CoinDesk archives

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

William Foxley

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.