Maker Foundation Announces Governance Polls to Address $340 Million Vulnerability

Michael LaVere
  • The Maker Foundation has announced a series of governance polls in response to a potentially massive network vulnerability.
  • Software developer Micah Zoltu outlined how an attacker could seal $340 million from the MakerDAO network.

The Maker Foundation, the group behind the decentralized crypto platform MakerDAO, has issued a response over their potential $340 million vulnerability. 

On Dec. 9, software developer Micah Zoltu outlined in a Medium post how a hacker could use $20 million in order to launch an attack on the MakerDAO network and secure close to $340 million--all in about 15 seconds. 

According to Zoltu,

Anyone with ~40,000 MKR (about 20,000,000 USD) can steal all of the collateral in Maker DAO, both DAI and SAI, along with a good chunk of assets from Compound, Uniswap, and other Maker integrated systems (over 340,000,000 USD).

He continued, 

Maker DAO v2 (AKA Multi-Collateral DAI, AKA McDAI) was supposed to launch with safeguards (emergency shutdown and governance delay) against a hostile MKR holder stealing all collateral and potentially robbing a good chunk of Uniswap, Compound, and other systems integrated with Maker in the process. Instead, they decided not to.

The Maker Foundation responded with its own blog post later in the day, announcing a series of governance polls into its voting system. One poll, in particular, asks the Maker community whether its current governance security module (GSM) should be upgraded to increase the delay from 0 seconds to 24 hours. 

According to the proposal, 

The GSM is designed to give the MKR token holders a chance to review any changes that will go into the system and act accordingly if those changes are deemed to be malicious. Since the launch of MCD, the delay has been set to 0. This allowed the community to take immediate action to mitigate technical errors, oracle malfunctions, or outlier cases like a market panic or an economic attack.

Assuming the proposal passes, the increased GSM delay would allow network security time to prevent the malicious attack outlined by Zoltu.

Featured Image Credit: Photo via Pixabay.com

Weekly Newsletter

Attacker Exploits Defi Protocol to Make $360,000 in a Single Transaction

Francisco Memoria

Ab attacker has managed to exploit the decentralized finance (DeFi) protocol bZx to make over $360,000 worth of profit in a single transaction through what’s known as flash loan.

Using a decentralized trading platform dYdX, a hacker borrowed 10,000 ETH, currently worth around $2.5 million, and then sent half of it to decentralized finance lending platform Compound, and half to decentralized trading platform bZx.

Using the funds on Compound, it borrowed 112 wrapped bitcoin tokens (wBTC), ERC-20 tokens backed 1:1 by bitcoin. Using the half on bZx, the hacker entered a short position for 112 wBTC. He then sent the 112 wBTC it got from Compound to another trading platform, Uniswap, in a move that lowered the price of the tokens which made the short sale profitable.

The hacker then repaid his loan to dYdX and kept the profit from the short sale, 1,300 ether that were then worth $360,000. All of this was made in a single transaction that cost around $8 worth of transaction fees.

single transactionSource: Etherscan

The attack was pulled in a single transaction through what’s known as a flash loan. Essentially, the attacker borrowed 10,000 ETH without any collateral as he borrowed the funds in the same transition that paid them back. Through a smart contract, it was possible to pull the transaction.

Using the exploit, the hacker made over 1,000 ETH in profit and cost the bZx protocol over $620,000 in equity. bZx has made it clear users won’t suffer from the loss as it will compensate them. Those behind the project are set to release a detailed analysis at 5pm MST.

Data from DeFi Pulse shows that investors quickly started withdrawing from bZx right after the incident occurred, but started regaining confidence as soon as the project addressed the issue and clarified they wouldn’t be socializing the loss.

Featured image via Pixabay.