Vulnerability Fixed in Facebook Contract Language for Libra Cryptocurrency

The vulnerability in the Move IR compiler allows malicious actors to introduce executable code to their smart contracts," OpenZeppelin’s CEO Demian Brener told CoinDesk.

AccessTimeIconSep 10, 2019 at 6:00 p.m. UTC
Updated Sep 13, 2021 at 11:25 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

A vulnerability in Libra's open-source code that would have enabled malicious actors to manipulate smart contracts has been uncovered and patched by a third-party audit firm specializing in cryptocurrency.

Specifically, developers working for startup OpenZeppelin found vulnerabilities in Move, the scripting language developed by Facebook for the open-source Libra cryptocurrency project, an effort backed by major companies including Facebook, Lyft, Uber and MasterCard. If allowed in executable code, the vulnerabilities disclosed to the Libra team could have been severe.

“The vulnerability in the Move IR compiler allows malicious actors to introduce executable code to their smart contracts disguised as inline comments,” OpenZeppelin’s CEO Demian Brener told CoinDesk.

He continued:

“The good news is that it was found and patched before the platform was live. Issues once thought of as benign can become more severe in the blockchain setting because auditability substitutes for trust.”

Founded in 2015, OpenZeppelin works with leading cryptocurrency, blockchain and internet enterprises including Coinbase, Brave browser and the Ethereum Foundation. The authors of Move work at Calibra, a subsidiary of Facebook focused on wallet development, and contributed the language to the non-profit Libra Association under a Creative Commons license.

Brener said the code was disclosed to Libra Aug. 6, with the Libra team evaluating and fixing the bug over the following month. As of Sept. 4, the patch was reviewed and confirmed to be fixed by OpenZeppelin.

Libra's stablecoin will have certain programmable features, such as the ability to make smart contracts. The full features of these smart contracts have yet to be disclosed.

Brener told CoinDesk the Libra team was highly responsive to the audits.

As larger protocols continue to develop in size and scope, Brener said audits are only growing in importance. Projects like Libra, with the potential for an international audience, require additional scrutiny, he said.

“We are seeing how huge and complex these systems are Libra is the first of many that are coming… and these systems go live and they manage millions of dollars by billions of people. It’s important to know what these complex systems are…people [need to be] aware of the potential.”

Earlier last month, Open Zeppelin concluded an audit on Compound, a decentralized finance protocol, which disclosed the ability to take out small, interest-free loans. Earlier today, it received an investment from Coinbase.


Demian Brener, founder, OpenZepplin, via CoinDesk archives


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.

Read more about