Serpent Compiler Vulnerability, REP & Solidity Migration

Augur’s smart contracts are currently written in Serpent, a low-level programming language that pre-dates the widely-used, higher-level Solidity language. This past May, we hired Zeppelin Solutions to perform a formal security audit of the Serpent compiler. After two months of review, Zeppelin has published their audit results. [1]The most hair-raising finding in Zeppelin’s audit report is a previously-unknown buffer overflow vulnerability in the Serpent compiler. This, combined with Serpent’s un-enforced types and a bug in Serpent’s computation of memory addresses, caused a non-loss-of-funds vulnerability in the REP token contract. The vulnerability allows someone to increase the token creation timestamp, indefinitely disabling transfers of the token. For a technical breakdown of the vulnerability, please read Zeppelin’s analysis.Over the past two weeks, Augur and Zeppelin have been working around-the-clock on a strategy to migrate REP to a new, secure contract. The new REP contract is written in Solidity, and is derived from OpenZeppelin’s ERC20 token contracts, which have undergone extensive security audits. Today, at 10:01 AM PST, the Augur team intentionally triggered the vulnerability, increasing the creation timestamp by about 31 billion years. The old Serpent REP contract is now frozen: REP transfers can no longer be carried out using the old contract.Right now, we are copying all REP balances to the new Solidity REP contract. If you are a REP holder, there is nothing you need to do! As soon as the REP migration is complete, your REP balance will be exactly as it was before the migration. The REP migration should only take a couple hours, if all goes well.Serpent REP Token Link // Solidity REP Token LinkWe notified exchanges, wallets, and block explorers on 2017 July 27 at 10:00am PST. The Augur and Zeppelin teams are currently working with them to update their software to use the new REP contract.