- A software developer has drawn attention to a “loophole” in the MakerDAO system which describes a theft of all 340 million ethereum (ETH) currently stored in the system.
- In response, the MakerDAO team published a poll on the Governance Security Module (GSM) in the governance portal.
Micah Zoltu, a software developer and co-author of the original whitepaper for the decentralized prediction market Augur (REP) published a blog post on Monday describing a possible attack on the MakerDAO system. As Zoltu explains, all 340 million Ethereum (ETH) currently deposited in the MakerDAO are in danger. The hack doesn’t even require much programming knowledge. Instead, only a large amount of MakerDAO (MKR) is required.
In his blog post “how to turn $20M into $340M in 15 seconds” Zoltu explains that the ” loophole “, as Zoltu describes it, enables any attacker holding about 40,000 MKR (about 20 million US dollars) to transfer all Ether (ETH) deposited as collateral in the MakerDAO system to himself. For this the attackers would only have to use the governance model of MakerDAO by voting for their own proposal, namely to send all Ethers to the attacker’s address, with the aforementioned amount of MKR.
To prevent such attacks, there is a delay time (“Governance Security Module” – GSM) in the MakerDAO system during which the MakerDAO community can conclude the contract. However, this is currently parameterized with 0. As Zoltu writes, the attack is only possible for a few MKR whales. However, owners of larger MKR amounts could also join forces to execute the attack. According to Zoltu, the attack could proceed as follows:
- Acquire 80,000 MKR.
- Create an executive contract that is programmed to transfer all collateral from MakerDAO to you.
- Vote on the contract immediately (in the same transaction).
- Immediatly (in the same transaction) activate the contract.
- Drive with 340 million USD ETH into the sunset.
As Zoltu writes, with some patience and sophistication, MKR 40,000 could be enough for the attack.
MakerDAO reacts to the accusation
Shortly after the blog post gained great attention, the MakerDAO development team responded to the accusations. They explained that the problem was known to the team and that nothing had been done on purpose because the threat was not considered real. In response to Zoltu’s blog post, it claimed that the article increased the possibility of hackers exploiting this vulnerability.
Since the launch of MCD, the delay has been set to 0. This allowed the community to take immediate action to mitigate technical errors, oracle malfunctions, or outlier cases like a market panic or an economic attack. […]
The community previously considered the possibility of the exploit but it was not an immediate issue. However, the probability of this exploit grew due to potential publicity from the aforementioned blog.
As a result, the MakerDAO team reacted yesterday. A survey has been added to the governance portal to allow the community to vote on the Governance Security Module (GSM). If the proposal is accepted, the change will increase the GSM delay from 0 to 24 hours. The potential attack would no longer be possible in the sense that it would be possible to react and close the contract.
The Maker price, however, is unimpressed by the negative headlines and moves sideways in line with the current market trend.