Blockchain infrastructure security firm, OpenZeppelin, has revealed a vulnerability in the Libra open-source scripting language, Move, which would have enabled hackers to take control of smart contracts on the network.
The Move language has the ability to define custom resource types, wherein a resource cannot be copied or deleted, but only moved between storage locations. The vulnerability used a flaw in Move’s intermediate representation language compiler to exploit inline comments, in order to run malicious code on the network. According to the security firm’s CEO, Demian Brener,
“As cryptocurrency continues to grow in popularity, it is vital for companies to audit and ensure that their networks are secure. Libra is groundbreaking, and it’s great how they involve the community by open sourcing their code early in the process. Because of this, we were able to find this vulnerability before the Libra network went live, averting potentially damaging effects. Our team shared several exploit scenarios with the Libra team that illustrated why they needed to address this issue quickly.”
More about the vulnerability can be read on OpenZeppelin’s blog.
According to Brener, the team behind Facebook’s Libra responded quickly to the audits, and has applied a patch to ensure that this vulnerability cannot be exploited further. While we know that Libra will have programmable smart contracts, the depth of these features is yet to be announced.
OpenZeppelin also works with Coinbase, Brave browser and the Ethereum Foundation.